Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816912 (CVE-2021-38297) - <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)
Summary: <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)
Status: RESOLVED FIXED
Alias: CVE-2021-38297
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 817902
Blocks:
  Show dependency tree
 
Reported: 2021-10-08 02:34 UTC by Sam James
Modified: 2022-08-04 14:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-08 02:34:50 UTC
Description:

```
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.

This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-11 05:54:56 UTC
ping
Comment 2 Larry the Git Cow gentoo-dev 2021-10-12 21:40:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19335011ed7ba62e12ca1fa94fb0da3a28e1160e

commit 19335011ed7ba62e12ca1fa94fb0da3a28e1160e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-10-12 21:39:36 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-10-12 21:40:16 +0000

    dev-lang/go: 1.17.2 bump
    
    Bug: https://bugs.gentoo.org/816912
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 12:39:03 UTC
Please cleanup
Comment 4 William Hubbs gentoo-dev 2021-12-15 18:11:18 UTC
The only version of go in the tree at this point is 1.17.5.
Comment 5 Larry the Git Cow gentoo-dev 2022-08-04 14:02:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:12:06 UTC
GLSA released, all done!