Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 766216 (CVE-2021-3114, CVE-2021-3115)

Summary: <dev-lang/go-{1.14.14,1.15.7}: multiple vulnerabilities (CVE-2021-{3114,3115})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://groups.google.com/g/golang-announce/c/mperVMGa98w
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-19 23:49:34 UTC
CVE-2021-3115 (golang.org/issue/43783):

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running “go get”, or any other command that builds code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security.


CVE-2021-3114 (golang.org/issue/43786):

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).


Fixed in 1.14.14 and 1.15.7. Please bump
Comment 1 William Hubbs gentoo-dev 2021-01-21 15:52:16 UTC
These are in the tree.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-21 15:57:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec2e47baa4227a13f55d6499312aaff571964b18

commit ec2e47baa4227a13f55d6499312aaff571964b18
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-21 15:54:42 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-21 15:57:17 +0000

    dev-lang/go: stable 1.14.14 and 1.15.7 on amd64
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.14.14.ebuild | 2 +-
 dev-lang/go/go-1.15.7.ebuild  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 01:49:44 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-23 05:55:50 UTC
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 04:54:23 UTC
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-27 22:46:14 UTC
arm done

all arches done
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-27 22:50:22 UTC
Please cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2021-01-28 00:20:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f94a9c778deffc13c4bcb9ec27d5cf90c19c1b5e

commit f94a9c778deffc13c4bcb9ec27d5cf90c19c1b5e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-28 00:17:12 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-28 00:17:41 +0000

    dev-lang/go: remove 1.14.13-r1 and 1.15.6-r1
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.14.13-r1.ebuild | 197 ---------------------------------------
 dev-lang/go/go-1.15.6-r1.ebuild  | 197 ---------------------------------------
 2 files changed, 394 deletions(-)
Comment 9 Larry the Git Cow gentoo-dev 2021-01-28 00:22:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=220629a3e1e453af234c61605a6c4ea2ff44d840

commit 220629a3e1e453af234c61605a6c4ea2ff44d840
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-28 00:21:23 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-28 00:21:56 +0000

    dev-lang/go: fix manifest
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest | 2 --
 1 file changed, 2 deletions(-)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-28 02:19:27 UTC
Added to existing GLSA request.
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:24:25 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:32:55 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:40:46 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:48:57 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:04:52 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:13:10 UTC
Package list is empty or all packages have requested keywords.
Comment 17 Larry the Git Cow gentoo-dev 2022-08-04 14:02:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:15:06 UTC
GLSA released, all done!