Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 775326 (CVE-2021-27918, CVE-2021-27919)

Summary: <dev-lang/go-{1.15.10,1.16.2}: Multiple vulnerabilities (CVE-2021-{27918, 27919})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
dev-lang/go-1.15.10 dev-lang/go-1.16.2
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-11 01:24:21 UTC
* CVE-2021-27918

Description:
"encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913."

* CVE-2021-27919

Description:
"archive/zip: panic when calling Reader.Open
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916."

Please bump to Go 1.16.1 and Go 1.15.9.
Comment 1 Larry the Git Cow gentoo-dev 2021-03-12 01:01:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58e4b63111ef301c3088aca66f18b197677e12fd

commit 58e4b63111ef301c3088aca66f18b197677e12fd
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-03-12 00:59:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-03-12 01:01:05 +0000

    dev-lang/go: 1.16.2 bump
    
    Bug: https://bugs.gentoo.org/775326
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.16.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c90270721a7dda15113d834e5df1aa562e980c4

commit 6c90270721a7dda15113d834e5df1aa562e980c4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-03-12 00:52:00 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-03-12 01:01:04 +0000

    dev-lang/go: 1.15.10 bump
    
    Bug: https://bugs.gentoo.org/775326
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   1 +
 dev-lang/go/go-1.15.10.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 2 William Hubbs gentoo-dev 2021-03-12 01:02:17 UTC
Please add arches and stabilize both 1.16.2 and 1.15.10.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-12 05:20:14 UTC
(In reply to William Hubbs from comment #2)
> Please add arches and stabilize both 1.16.2 and 1.15.10.

Thank you!
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-03-12 08:09:11 UTC
amd64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-12 15:31:01 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-12 15:31:09 UTC
ppc64 done
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2021-03-12 19:44:45 UTC
commit 1b6bfb1917feea1e740f240794f35398356c0ccb
Author: Sam James <sam@gentoo.org>
Date:   Fri Mar 12 15:30:16 2021 +0000

    dev-lang/go: Stabilize 1.16.2 arm64, #775326

    Signed-off-by: Sam James <sam@gentoo.org>

commit 6c85beb0ce118687b09c3ee8a13cd57d12325ad1
Author: Sam James <sam@gentoo.org>
Date:   Fri Mar 12 15:30:15 2021 +0000

    dev-lang/go: Stabilize 1.15.10 arm64, #775326

    Signed-off-by: Sam James <sam@gentoo.org>
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2021-03-15 01:40:26 UTC
x86 stable
Comment 9 NATTkA bot gentoo-dev 2021-05-24 19:52:24 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-05-25 02:56:27 UTC
Unable to check for sanity:

> no match for package: dev-lang/go-1.15.10
Comment 11 Larry the Git Cow gentoo-dev 2022-08-04 14:02:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:04:19 UTC
GLSA released, all done!