Summary: | dev-lang/go: infinite loop in several big integer routines (CVE-2016-3959) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | arm, williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1324343 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Go 1.6.1 is in the tree, and should contain the fix [1]. Do we need to do a fast stable for this? If so, go ahead and add arch teams. The targets should be amd64, arm and x86. [1] http://www.openwall.com/lists/oss-security/2016/04/05/1 I spoke with k_f about this bug and he agrees we should fast stable. I will handle amd64 and x86. Arm team, please stable dev-lang/go-1.6.1. @security: What do we want to do with this bug since all affected versions have been removed for a while? CVE-2016-3959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3959): The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries. GLSA Vote: No. |