Bug 775326 (CVE-2021-27918, CVE-2021-27919)

Summary:	<dev-lang/go-{1.15.10,1.16.2}: Multiple vulnerabilities (CVE-2021-{27918, 27919})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [glsa+]
Package list:	dev-lang/go-1.15.10 dev-lang/go-1.16.2	Runtime testing required:	---

Description Sam James archtester

2021-03-11 01:24:21 UTC

* CVE-2021-27918

Description:
"encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913."

* CVE-2021-27919

Description:
"archive/zip: panic when calling Reader.Open
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916."

Please bump to Go 1.16.1 and Go 1.15.9.

Comment 1 Larry the Git Cow gentoo-dev

2021-03-12 01:01:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58e4b63111ef301c3088aca66f18b197677e12fd

commit 58e4b63111ef301c3088aca66f18b197677e12fd
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-03-12 00:59:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-03-12 01:01:05 +0000

    dev-lang/go: 1.16.2 bump
    
    Bug: https://bugs.gentoo.org/775326
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.16.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c90270721a7dda15113d834e5df1aa562e980c4

commit 6c90270721a7dda15113d834e5df1aa562e980c4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-03-12 00:52:00 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-03-12 01:01:04 +0000

    dev-lang/go: 1.15.10 bump
    
    Bug: https://bugs.gentoo.org/775326
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   1 +
 dev-lang/go/go-1.15.10.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

Comment 2 William Hubbs gentoo-dev

2021-03-12 01:02:17 UTC

Please add arches and stabilize both 1.16.2 and 1.15.10.

Comment 3 John Helmert III archtester

2021-03-12 05:20:14 UTC

(In reply to William Hubbs from comment #2)
> Please add arches and stabilize both 1.16.2 and 1.15.10.

Thank you!

Comment 4 Mikle Kolyada (RETIRED) archtester

2021-03-12 08:09:11 UTC

amd64 stable

Comment 5 Sam James archtester

2021-03-12 15:31:01 UTC

arm done

Comment 6 Sam James archtester

2021-03-12 15:31:09 UTC

ppc64 done

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2021-03-12 19:44:45 UTC

commit 1b6bfb1917feea1e740f240794f35398356c0ccb
Author: Sam James <sam@gentoo.org>
Date:   Fri Mar 12 15:30:16 2021 +0000

    dev-lang/go: Stabilize 1.16.2 arm64, #775326

    Signed-off-by: Sam James <sam@gentoo.org>

commit 6c85beb0ce118687b09c3ee8a13cd57d12325ad1
Author: Sam James <sam@gentoo.org>
Date:   Fri Mar 12 15:30:15 2021 +0000

    dev-lang/go: Stabilize 1.15.10 arm64, #775326

    Signed-off-by: Sam James <sam@gentoo.org>

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2021-03-15 01:40:26 UTC

x86 stable

Comment 9 NATTkA bot gentoo-dev

2021-05-24 19:52:24 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-lang/go-1.15.10

Comment 10 NATTkA bot gentoo-dev

2021-05-25 02:56:27 UTC

Unable to check for sanity:

> no match for package: dev-lang/go-1.15.10

Comment 11 Larry the Git Cow gentoo-dev

2022-08-04 14:02:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 12 John Helmert III archtester

2022-08-04 14:04:19 UTC

GLSA released, all done!