839684 – dev-lang/go: multiple vulnerabilities (CVE-2022-{28327,24675})

Bug 839684 - dev-lang/go: multiple vulnerabilities (CVE-2022-{28327,24675})

Summary: dev-lang/go: multiple vulnerabilities (CVE-2022-{28327,24675})

Status:	RESOLVED DUPLICATE of bug 838130

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-20 12:29 UTC by filip ambroz
Modified:	2022-04-20 12:35 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description filip ambroz 2022-04-20 12:29:59 UTC

[CVE-2022-28327]
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

URLs:
https://github.com/golang/go/issues/52075
https://groups.google.com/g/golang-announce/c/oecdBNLOml8


[CVE-2022-24675]
A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

URLs:
https://github.com/golang/go/issues/51853
https://groups.google.com/g/golang-announce/c/oecdBNLOml8


Fixed versions are already in the tree. We probably only need to cleanup the version 1.17.8.

Comment 1 filip ambroz 2022-04-20 12:35:04 UTC


*** This bug has been marked as a duplicate of bug 838130 ***