Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 710142 (CVE-2019-11841, CVE-2020-9283)

Summary: <dev-go/go-crypto-0_pre20180816: Multiple vulnerabilities (CVE-2019-11841, CVE-2020-9283)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: trivial CC: embedded, williamh, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cleanup masked cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2020-02-19 08:14:10 UTC
From https://bugzilla.redhat.com/1804533 :
Upcoming security fix for the golang.org/x/crypto/ssh package in the
golang.org/x/crypto module.


Reference:

https://groups.google.com/forum/#!topic/kubernetes-security-discuss/s15RxeNdBLc

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sam James gentoo-dev Security 2020-03-16 18:49:33 UTC
(In reply to Agostino Sarubbo from comment #0)
> From https://bugzilla.redhat.com/1804533 :
> Upcoming security fix for the golang.org/x/crypto/ssh package in the
> golang.org/x/crypto module.
> 
> 
> Reference:
> 
> https://groups.google.com/forum/#!topic/kubernetes-security-discuss/
> s15RxeNdBLc
> 
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.

Patch: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236

It looks like this is actually dev-go/go-crypto.

@maintainer(s): ok to apply patch or create a new ebuild? thanks!
Comment 2 Sam James gentoo-dev Security 2020-03-16 22:04:24 UTC
(In reply to sam_c (Security Padawan) from comment #1)
> (In reply to Agostino Sarubbo from comment #0)
> > From https://bugzilla.redhat.com/1804533 :
> > Upcoming security fix for the golang.org/x/crypto/ssh package in the
> > golang.org/x/crypto module.
> > 
> > 
> > Reference:
> > 
> > https://groups.google.com/forum/#!topic/kubernetes-security-discuss/
> > s15RxeNdBLc
> > 
> > @maintainer(s): after the bump, in case we need to stabilize the package,
> > please let us know if it is ready for the stabilization or not.
> 
> Patch:
> https://github.com/golang/crypto/commit/
> bac4c82f69751a6dd76e702d54b3ceb88adab236
> 
> It looks like this is actually dev-go/go-crypto.
> 
> @maintainer(s): ok to apply patch or create a new ebuild? thanks!

Another vulnerability.

2) CVE-2020-7919

Description:
"On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue.
The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte."

URL: https://groups.google.com/forum/#!topic/golang-announce/Hsw4mHYc470

(see also bug 712924).

May be easier to just bump the ebuild at this point.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-16 23:05:38 UTC
We need to check which versions contain https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236.
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-03-16 23:16:13 UTC
Vulnerability is in dev-go/go-crypto!

Package has no stable ebuild.

@ maintainer(s): Please bump and drop =dev-go/go-crypto-0_pre20180816 aferwards!
Comment 5 Zac Medico gentoo-dev 2020-03-20 06:27:03 UTC
The dev-go/go-crypto package is deprecated and the only non-masked and non-deprecated consumer package is dev-embedded/arduino-builder-1.4.1 (dev-embedded/arduino-builder1.4.1-r1 is fixed).

The dependency chain is:

dev-embedded/arduino-builder-1.4.1 ->
   dev-go/go-net (deprecated) ->
       dev-go/go-crypto (deprecated)

@embedded: please remove dev-embedded/arduino-builder-1.4.1.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-23 21:23:01 UTC
CVE-2019-11841 (https://nvd.nist.gov/vuln/detail/CVE-2019-11841):
  A message-forgery issue was discovered in
  crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography
  libraries 2019-03-25. According to the OpenPGP Message Format specification
  in RFC 4880 chapter 7, a cleartext signed message can contain one or more
  optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message
  digest algorithm(s) used for the signature. However, the Go clearsign
  package ignores the value of this header, which allows an attacker to spoof
  it. Consequently, an attacker can lead a victim to believe the signature was
  generated using a different message digest algorithm than what was actually
  used. Moreover, since the library skips Armor Header parsing in general, an
  attacker can not only embed arbitrary Armor Headers, but also prepend
  arbitrary text to cleartext messages without invalidating the signatures.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-26 03:52:29 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 8 Larry the Git Cow gentoo-dev 2020-04-26 20:55:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0bf6a932af3237502fe2660e7df20a5924ed3f4

commit a0bf6a932af3237502fe2660e7df20a5924ed3f4
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-04-26 20:53:17 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-04-26 20:55:07 +0000

    package.mask: Last rite dev-go/go-crypto and go-net
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 profiles/package.deprecated | 2 --
 profiles/package.mask       | 7 +++++++
 2 files changed, 7 insertions(+), 2 deletions(-)
Comment 9 Sam James gentoo-dev Security 2020-04-26 20:56:44 UTC
Tree not yet clean, last-rited though.
Comment 10 Larry the Git Cow gentoo-dev 2020-05-31 10:25:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b426ca4581a3e97056d7f200150f2a2dab8b6f8

commit 5b426ca4581a3e97056d7f200150f2a2dab8b6f8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-31 10:24:23 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-31 10:25:03 +0000

    dev-go/go-crypto: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-go/go-crypto/Manifest                       |  1 -
 dev-go/go-crypto/go-crypto-0_pre20180816.ebuild | 45 ----------------------
 dev-go/go-crypto/go-crypto-9999.ebuild          | 50 -------------------------
 dev-go/go-crypto/metadata.xml                   | 10 -----
 profiles/package.mask                           |  5 ---
 5 files changed, 111 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9761dd993c705e4d198bdef66edddef4e864bfba

commit 9761dd993c705e4d198bdef66edddef4e864bfba
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-31 10:24:17 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-31 10:24:58 +0000

    dev-go/go-net: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-go/go-net/Manifest                    |  1 -
 dev-go/go-net/go-net-0_pre20180816.ebuild | 56 -----------------------------
 dev-go/go-net/go-net-9999.ebuild          | 59 -------------------------------
 dev-go/go-net/metadata.xml                | 10 ------
 profiles/package.mask                     |  1 -
 5 files changed, 127 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16cb1381d8d2ab6b06b9ef0bace39453cf8b5412

commit 16cb1381d8d2ab6b06b9ef0bace39453cf8b5412
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-31 10:24:09 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-31 10:24:53 +0000

    dev-go/go-sys: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-go/go-sys/Manifest                    |  1 -
 dev-go/go-sys/go-sys-0_pre20180816.ebuild | 37 ------------------------------
 dev-go/go-sys/go-sys-9999.ebuild          | 38 -------------------------------
 dev-go/go-sys/metadata.xml                | 10 --------
 profiles/package.mask                     |  1 -
 5 files changed, 87 deletions(-)
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-05-31 10:25:32 UTC
removing