Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579314 (CVE-2016-3959) - dev-lang/go: infinite loop in several big integer routines (CVE-2016-3959)
Summary: dev-lang/go: infinite loop in several big integer routines (CVE-2016-3959)
Status: RESOLVED FIXED
Alias: CVE-2016-3959
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-08 09:32 UTC by Agostino Sarubbo
Modified: 2016-07-30 00:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-08 09:32:54 UTC
From ${URL} :

Go has an infinite loop in several big integer routines that makes Go
programs vulnerable to remote denial of service attacks.  Programs using
HTTPS client authentication or the Go ssh server libraries are both exposed
to this vulnerability.

Upstream fix:

https://go-review.googlesource.com/#/c/21533/

References:

http://seclists.org/oss-sec/2016/q2/11


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 William Hubbs gentoo-dev 2016-04-13 15:27:17 UTC
Go 1.6.1 is in the tree, and should contain the fix [1].
Do we need to do a fast stable for this? If so, go ahead and add arch
teams.

The targets should be amd64, arm and x86.


[1] http://www.openwall.com/lists/oss-security/2016/04/05/1
Comment 2 William Hubbs gentoo-dev 2016-04-13 17:28:40 UTC
I spoke with k_f about this bug and he agrees we should fast stable. I
will handle amd64 and x86.
Arm team, please stable dev-lang/go-1.6.1.
Comment 3 William Hubbs gentoo-dev 2016-07-29 19:44:21 UTC
@security:
What do we want to do with this bug since all affected versions have
been removed for a while?
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-07-30 00:45:04 UTC
CVE-2016-3959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3959):
  The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before
  1.6.1 does not properly check parameters passed to the big integer library,
  which might allow remote attackers to cause a denial of service (infinite
  loop) via a crafted public key to a program that uses HTTPS client
  certificates or SSH server libraries.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-07-30 00:46:22 UTC
GLSA Vote: No.