Summary: | <dev-lang/go-{1.13.15, 1.14.7}: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | williamh |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/golang/go/issues/40618 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-lang/go-1.13.15
dev-lang/go-1.14.7
|
Runtime testing required: | --- |
Description
Sam James
2020-08-06 17:13:25 UTC
Please bump to 1.13.15, 1.14.7. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5e8abfb9b2973e4b4f99b61b6b999184c0df9a5 commit e5e8abfb9b2973e4b4f99b61b6b999184c0df9a5 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-06 18:50:41 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-06 18:52:19 +0000 dev-lang/go: mark 1.13.15 and 1.14.7 stable on amd64 for security Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/go-1.13.15.ebuild | 2 +- dev-lang/go/go-1.14.7.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7047696d1eb4be0e320b3482e74a9473fae62f46 commit 7047696d1eb4be0e320b3482e74a9473fae62f46 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-06 18:47:47 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-06 18:52:19 +0000 dev-lang/go: 1.14.7 security bump Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.14.7.ebuild | 188 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 189 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3937ad23fc8918c53bd0266017838adb2d35e06 commit c3937ad23fc8918c53bd0266017838adb2d35e06 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-06 18:39:14 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-06 18:52:18 +0000 dev-lang/go: 1.13.15 security bump Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.13.15.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+) arm done arm64 done x86 done ppc64 done all arches done Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a021d8bf00b7cf1a4a4cab5855ecc8c3689bae5a commit a021d8bf00b7cf1a4a4cab5855ecc8c3689bae5a Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-07 17:12:13 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-07 17:15:10 +0000 dev-lang/go: remove vulnerable versions Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 4 - dev-lang/go/go-1.13.13.ebuild | 197 ------------------------------------------ dev-lang/go/go-1.13.14.ebuild | 197 ------------------------------------------ dev-lang/go/go-1.14.5.ebuild | 188 ---------------------------------------- dev-lang/go/go-1.14.6.ebuild | 188 ---------------------------------------- 5 files changed, 774 deletions(-) Thanks William. GLSA vote: no. Closing. |