Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680240 (CVE-2019-9741) - <dev-lang/go-1.12.1: CRLF injection vulnerability
Summary: <dev-lang/go-1.12.1: CRLF injection vulnerability
Status: RESOLVED FIXED
Alias: CVE-2019-9741
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-13 13:48 UTC by Agostino Sarubbo
Modified: 2019-04-02 06:33 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.12.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-13 13:48:32 UTC 
From ${URL} :

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the 
second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Reference:
https://github.com/golang/go/issues/30794



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 William Hubbs gentoo-dev 2019-03-17 21:11:59 UTC 
Arch teams, please stabilize dev-lang/go-1.12.1.
I will handle amd64.

Thanks,

William
Comment 2 Larry the Git Cow gentoo-dev 2019-03-17 21:31:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09d8a22411e33d1ea7e44df9aa118994c92f2c39

commit 09d8a22411e33d1ea7e44df9aa118994c92f2c39
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2019-03-17 21:24:53 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2019-03-17 21:29:29 +0000

    dev-lang/go: stable 1.12.1 on amd64
    
    Bug: https://bugs.gentoo.org/680240
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.12.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-20 11:33:55 UTC 
arm stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-20 11:35:27 UTC 
(In reply to Mikle Kolyada from comment #3)
> arm stable

hmm no, this says a package list is empty
Comment 5 Markus Meier gentoo-dev 2019-03-20 17:03:29 UTC 
arm stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:21:15 UTC 
x86 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-03-27 23:32:24 UTC 
@maintainer, please drop vulnerable.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:46:09 UTC 
x86 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 03:41:56 UTC 
Maintainer(s), please drop the vulnerable version(s).
Version: 1.11.5
Comment 10 Larry the Git Cow gentoo-dev 2019-03-31 19:13:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e983932e78749663d33aa91cfd0f95491552ab5

commit 4e983932e78749663d33aa91cfd0f95491552ab5
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2019-03-31 19:11:20 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2019-03-31 19:12:49 +0000

    dev-lang/go: remove vulnerable version 1.11.5
    
    Bug: https://bugs.gentoo.org/680240
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.11.5.ebuild | 236 -------------------------------------------
 2 files changed, 237 deletions(-)
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 06:33:11 UTC 
Arches and Maintainer(s), Thank you for your work.