Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712924 (CVE-2020-7919) - <dev-lang/go-{1.12.17},{1.13.7}: Malformed X509 cert can cause panic (CVE-2020-7919)
Summary: <dev-lang/go-{1.12.17},{1.13.7}: Malformed X509 cert can cause panic (CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2020-7919
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/forum/#!top...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 706512 711552
Blocks:
  Show dependency tree
 
Reported: 2020-03-16 22:00 UTC by Sam James
Modified: 2020-04-26 01:40 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.12.17
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-16 22:00:10 UTC
Description:
"On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue.
The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte."

(Note that 1.13.{6,7} was removed from tree on 9th March: https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-lang/go?id=4369b8cb64751a5ce205276e944f8e663f23b14b)
Comment 1 Sam James archtester gentoo-dev Security 2020-03-16 22:05:45 UTC
Bug: https://github.com/golang/go/issues/36837

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-16 23:08:25 UTC
We still need to check status in 1.14.x.
Comment 3 Sam James archtester gentoo-dev Security 2020-03-16 23:20:23 UTC
(In reply to Thomas Deutschmann from comment #2)
> We still need to check status in 1.14.x.

>The upcoming Go 1.14rc1 release will also include the fixes above.

Go 1.14 has since been released, so we're good there!
Comment 4 William Hubbs gentoo-dev 2020-03-17 15:21:52 UTC
1.13.8 is waiting for #711552.
I will stabilize 1.12.17 myself.
Comment 5 Larry the Git Cow gentoo-dev 2020-03-17 15:33:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8515427b17f2c8d3190fcf5e774717df4447b98

commit f8515427b17f2c8d3190fcf5e774717df4447b98
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-03-17 15:30:51 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-03-17 15:33:01 +0000

    dev-lang/go: stabilize 1.12.17
    
    Bug: https://bugs.gentoo.org/712924
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.12.17.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2020-03-17 15:53:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b800340816ed04663391c292786f1a5a3ccd1f29

commit b800340816ed04663391c292786f1a5a3ccd1f29
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-03-17 15:50:51 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-03-17 15:51:19 +0000

    dev-lang/go: remove vulnerable 1.12 versions
    
    Bug: https://bugs.gentoo.org/712924
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 -
 dev-lang/go/go-1.12.13.ebuild | 246 ------------------------------------------
 dev-lang/go/go-1.12.15.ebuild | 246 ------------------------------------------
 3 files changed, 494 deletions(-)
Comment 7 Sam James archtester gentoo-dev Security 2020-03-21 11:11:48 UTC
(updating whiteboard to reflect waiting for stable).
Comment 8 Sam James archtester gentoo-dev Security 2020-03-29 00:15:43 UTC
@maintainer(s), please cleanup!
Comment 9 Sam James archtester gentoo-dev Security 2020-04-04 19:21:23 UTC
Tree is clean.
Comment 10 NATTkA bot gentoo-dev 2020-04-06 11:21:16 UTC
Unable to check for sanity:

> no match for package: dev-lang/go-1.13.8
Comment 11 NATTkA bot gentoo-dev 2020-04-06 13:08:36 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 12 William Hubbs gentoo-dev 2020-04-17 16:34:30 UTC
Ping,

the tree is clean, so what's the next step?

Thanks,

William
Comment 13 Sam James archtester gentoo-dev Security 2020-04-17 16:35:46 UTC
(In reply to William Hubbs from comment #12)
> Ping,
> 
> the tree is clean, so what's the next step?
> 
> Thanks,
> 
> William

Hi William,

Nothing more for you to do - we may GLSA it but that's just on our side.

Ignore nattka.. it's still having teething problems with the sec bugs.

Thanks!
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 01:40:56 UTC
GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.