Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710142 (CVE-2019-11841, CVE-2020-9283) - <dev-go/go-crypto-0_pre20180816: Multiple vulnerabilities (CVE-2019-11841, CVE-2020-9283)
Summary: <dev-go/go-crypto-0_pre20180816: Multiple vulnerabilities (CVE-2019-11841, CV...
Status: RESOLVED OBSOLETE
Alias: CVE-2019-11841, CVE-2020-9283
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cleanup masked cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-19 08:14 UTC by Agostino Sarubbo
Modified: 2020-05-31 10:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2020-02-19 08:14:10 UTC
From https://bugzilla.redhat.com/1804533 :
Upcoming security fix for the golang.org/x/crypto/ssh package in the
golang.org/x/crypto module.


Reference:

https://groups.google.com/forum/#!topic/kubernetes-security-discuss/s15RxeNdBLc

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-16 18:49:33 UTC
(In reply to Agostino Sarubbo from comment #0)
> From https://bugzilla.redhat.com/1804533 :
> Upcoming security fix for the golang.org/x/crypto/ssh package in the
> golang.org/x/crypto module.
> 
> 
> Reference:
> 
> https://groups.google.com/forum/#!topic/kubernetes-security-discuss/
> s15RxeNdBLc
> 
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.

Patch: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236

It looks like this is actually dev-go/go-crypto.

@maintainer(s): ok to apply patch or create a new ebuild? thanks!
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-16 22:04:24 UTC
(In reply to sam_c (Security Padawan) from comment #1)
> (In reply to Agostino Sarubbo from comment #0)
> > From https://bugzilla.redhat.com/1804533 :
> > Upcoming security fix for the golang.org/x/crypto/ssh package in the
> > golang.org/x/crypto module.
> > 
> > 
> > Reference:
> > 
> > https://groups.google.com/forum/#!topic/kubernetes-security-discuss/
> > s15RxeNdBLc
> > 
> > @maintainer(s): after the bump, in case we need to stabilize the package,
> > please let us know if it is ready for the stabilization or not.
> 
> Patch:
> https://github.com/golang/crypto/commit/
> bac4c82f69751a6dd76e702d54b3ceb88adab236
> 
> It looks like this is actually dev-go/go-crypto.
> 
> @maintainer(s): ok to apply patch or create a new ebuild? thanks!

Another vulnerability.

2) CVE-2020-7919

Description:
"On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue.
The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte."

URL: https://groups.google.com/forum/#!topic/golang-announce/Hsw4mHYc470

(see also bug 712924).

May be easier to just bump the ebuild at this point.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-16 23:05:38 UTC
We need to check which versions contain https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-16 23:16:13 UTC
Vulnerability is in dev-go/go-crypto!

Package has no stable ebuild.

@ maintainer(s): Please bump and drop =dev-go/go-crypto-0_pre20180816 aferwards!
Comment 5 Zac Medico gentoo-dev 2020-03-20 06:27:03 UTC
The dev-go/go-crypto package is deprecated and the only non-masked and non-deprecated consumer package is dev-embedded/arduino-builder-1.4.1 (dev-embedded/arduino-builder1.4.1-r1 is fixed).

The dependency chain is:

dev-embedded/arduino-builder-1.4.1 ->
   dev-go/go-net (deprecated) ->
       dev-go/go-crypto (deprecated)

@embedded: please remove dev-embedded/arduino-builder-1.4.1.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-23 21:23:01 UTC
CVE-2019-11841 (https://nvd.nist.gov/vuln/detail/CVE-2019-11841):
  A message-forgery issue was discovered in
  crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography
  libraries 2019-03-25. According to the OpenPGP Message Format specification
  in RFC 4880 chapter 7, a cleartext signed message can contain one or more
  optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message
  digest algorithm(s) used for the signature. However, the Go clearsign
  package ignores the value of this header, which allows an attacker to spoof
  it. Consequently, an attacker can lead a victim to believe the signature was
  generated using a different message digest algorithm than what was actually
  used. Moreover, since the library skips Armor Header parsing in general, an
  attacker can not only embed arbitrary Armor Headers, but also prepend
  arbitrary text to cleartext messages without invalidating the signatures.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 03:52:29 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 8 Larry the Git Cow gentoo-dev 2020-04-26 20:55:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0bf6a932af3237502fe2660e7df20a5924ed3f4

commit a0bf6a932af3237502fe2660e7df20a5924ed3f4
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-04-26 20:53:17 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-04-26 20:55:07 +0000

    package.mask: Last rite dev-go/go-crypto and go-net
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 profiles/package.deprecated | 2 --
 profiles/package.mask       | 7 +++++++
 2 files changed, 7 insertions(+), 2 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 20:56:44 UTC
Tree not yet clean, last-rited though.
Comment 10 Larry the Git Cow gentoo-dev 2020-05-31 10:25:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b426ca4581a3e97056d7f200150f2a2dab8b6f8

commit 5b426ca4581a3e97056d7f200150f2a2dab8b6f8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-31 10:24:23 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-31 10:25:03 +0000

    dev-go/go-crypto: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-go/go-crypto/Manifest                       |  1 -
 dev-go/go-crypto/go-crypto-0_pre20180816.ebuild | 45 ----------------------
 dev-go/go-crypto/go-crypto-9999.ebuild          | 50 -------------------------
 dev-go/go-crypto/metadata.xml                   | 10 -----
 profiles/package.mask                           |  5 ---
 5 files changed, 111 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9761dd993c705e4d198bdef66edddef4e864bfba

commit 9761dd993c705e4d198bdef66edddef4e864bfba
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-31 10:24:17 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-31 10:24:58 +0000

    dev-go/go-net: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-go/go-net/Manifest                    |  1 -
 dev-go/go-net/go-net-0_pre20180816.ebuild | 56 -----------------------------
 dev-go/go-net/go-net-9999.ebuild          | 59 -------------------------------
 dev-go/go-net/metadata.xml                | 10 ------
 profiles/package.mask                     |  1 -
 5 files changed, 127 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16cb1381d8d2ab6b06b9ef0bace39453cf8b5412

commit 16cb1381d8d2ab6b06b9ef0bace39453cf8b5412
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-31 10:24:09 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-31 10:24:53 +0000

    dev-go/go-sys: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/710142
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-go/go-sys/Manifest                    |  1 -
 dev-go/go-sys/go-sys-0_pre20180816.ebuild | 37 ------------------------------
 dev-go/go-sys/go-sys-9999.ebuild          | 38 -------------------------------
 dev-go/go-sys/metadata.xml                | 10 --------
 profiles/package.mask                     |  1 -
 5 files changed, 87 deletions(-)
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-05-31 10:25:32 UTC
removing