| Summary: | <dev-go/go-crypto-0_pre20180816: Multiple vulnerabilities (CVE-2019-11841, CVE-2020-9283) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | trivial | CC: | embedded, williamh, zmedico |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~3 [noglsa cleanup masked cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2020-02-19 08:14:10 UTC
(In reply to Agostino Sarubbo from comment #0) > From https://bugzilla.redhat.com/1804533 : > Upcoming security fix for the golang.org/x/crypto/ssh package in the > golang.org/x/crypto module. > > > Reference: > > https://groups.google.com/forum/#!topic/kubernetes-security-discuss/ > s15RxeNdBLc > > @maintainer(s): after the bump, in case we need to stabilize the package, > please let us know if it is ready for the stabilization or not. Patch: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 It looks like this is actually dev-go/go-crypto. @maintainer(s): ok to apply patch or create a new ebuild? thanks! (In reply to sam_c (Security Padawan) from comment #1) > (In reply to Agostino Sarubbo from comment #0) > > From https://bugzilla.redhat.com/1804533 : > > Upcoming security fix for the golang.org/x/crypto/ssh package in the > > golang.org/x/crypto module. > > > > > > Reference: > > > > https://groups.google.com/forum/#!topic/kubernetes-security-discuss/ > > s15RxeNdBLc > > > > @maintainer(s): after the bump, in case we need to stabilize the package, > > please let us know if it is ready for the stabilization or not. > > Patch: > https://github.com/golang/crypto/commit/ > bac4c82f69751a6dd76e702d54b3ceb88adab236 > > It looks like this is actually dev-go/go-crypto. > > @maintainer(s): ok to apply patch or create a new ebuild? thanks! Another vulnerability. 2) CVE-2020-7919 Description: "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte." URL: https://groups.google.com/forum/#!topic/golang-announce/Hsw4mHYc470 (see also bug 712924). May be easier to just bump the ebuild at this point. We need to check which versions contain https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236. Vulnerability is in dev-go/go-crypto! Package has no stable ebuild. @ maintainer(s): Please bump and drop =dev-go/go-crypto-0_pre20180816 aferwards! The dev-go/go-crypto package is deprecated and the only non-masked and non-deprecated consumer package is dev-embedded/arduino-builder-1.4.1 (dev-embedded/arduino-builder1.4.1-r1 is fixed).
The dependency chain is:
dev-embedded/arduino-builder-1.4.1 ->
dev-go/go-net (deprecated) ->
dev-go/go-crypto (deprecated)
@embedded: please remove dev-embedded/arduino-builder-1.4.1.
CVE-2019-11841 (https://nvd.nist.gov/vuln/detail/CVE-2019-11841): A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. Arches and Maintainer(s), Thank you for your work. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0bf6a932af3237502fe2660e7df20a5924ed3f4 commit a0bf6a932af3237502fe2660e7df20a5924ed3f4 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-04-26 20:53:17 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-04-26 20:55:07 +0000 package.mask: Last rite dev-go/go-crypto and go-net Bug: https://bugs.gentoo.org/710142 Signed-off-by: Zac Medico <zmedico@gentoo.org> profiles/package.deprecated | 2 -- profiles/package.mask | 7 +++++++ 2 files changed, 7 insertions(+), 2 deletions(-) Tree not yet clean, last-rited though. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b426ca4581a3e97056d7f200150f2a2dab8b6f8 commit 5b426ca4581a3e97056d7f200150f2a2dab8b6f8 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-31 10:24:23 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-31 10:25:03 +0000 dev-go/go-crypto: Remove last-rited pkg Bug: https://bugs.gentoo.org/710142 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-go/go-crypto/Manifest | 1 - dev-go/go-crypto/go-crypto-0_pre20180816.ebuild | 45 ---------------------- dev-go/go-crypto/go-crypto-9999.ebuild | 50 ------------------------- dev-go/go-crypto/metadata.xml | 10 ----- profiles/package.mask | 5 --- 5 files changed, 111 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9761dd993c705e4d198bdef66edddef4e864bfba commit 9761dd993c705e4d198bdef66edddef4e864bfba Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-31 10:24:17 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-31 10:24:58 +0000 dev-go/go-net: Remove last-rited pkg Bug: https://bugs.gentoo.org/710142 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-go/go-net/Manifest | 1 - dev-go/go-net/go-net-0_pre20180816.ebuild | 56 ----------------------------- dev-go/go-net/go-net-9999.ebuild | 59 ------------------------------- dev-go/go-net/metadata.xml | 10 ------ profiles/package.mask | 1 - 5 files changed, 127 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16cb1381d8d2ab6b06b9ef0bace39453cf8b5412 commit 16cb1381d8d2ab6b06b9ef0bace39453cf8b5412 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-31 10:24:09 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-31 10:24:53 +0000 dev-go/go-sys: Remove last-rited pkg Bug: https://bugs.gentoo.org/710142 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-go/go-sys/Manifest | 1 - dev-go/go-sys/go-sys-0_pre20180816.ebuild | 37 ------------------------------ dev-go/go-sys/go-sys-9999.ebuild | 38 ------------------------------- dev-go/go-sys/metadata.xml | 10 -------- profiles/package.mask | 1 - 5 files changed, 87 deletions(-) removing |
