Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 754210 (CVE-2020-28366, CVE-2020-28367) - <dev-lang/go-{1.14.12,1.15.5}: Multiple vulnerabilities (CVE-2020-{28366,28367})
Summary: <dev-lang/go-{1.14.12,1.15.5}: Multiple vulnerabilities (CVE-2020-{28366,28367})
Status: RESOLVED FIXED
Alias: CVE-2020-28366, CVE-2020-28367
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/forum/?utm_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-12 22:28 UTC by Sam James
Modified: 2022-08-04 14:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-12 22:28:40 UTC
"We have just released Go 1.15.5 and Go 1.14.12 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.15.5).
math/big: panic during recursive division of very large numbers
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.
cmd/go: arbitrary code execution at build time through cgo
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.

This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file.

Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for reporting these issues.

These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively."
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-13 00:26:49 UTC
x86 stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-13 04:56:26 UTC
arm64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-13 04:56:49 UTC
arm done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-13 04:57:12 UTC
amd64 done
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-11-14 19:28:20 UTC
ppc64 stable
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-14 20:38:37 UTC
Please cleanup.
Comment 7 Larry the Git Cow gentoo-dev 2020-11-15 21:18:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec56133b486dc13e5e462510653df559aa223396

commit ec56133b486dc13e5e462510653df559aa223396
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-11-15 21:15:27 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-11-15 21:18:02 +0000

    dev-lang/go: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/754210
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   4 -
 dev-lang/go/go-1.14.10.ebuild | 188 ------------------------------------------
 dev-lang/go/go-1.14.11.ebuild | 188 ------------------------------------------
 dev-lang/go/go-1.15.3.ebuild  | 188 ------------------------------------------
 dev-lang/go/go-1.15.4.ebuild  | 188 ------------------------------------------
 5 files changed, 756 deletions(-)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 21:14:19 UTC
Adding Portage 3.0.9 stabilisation to See Also because it includes a set to rebuild all Go packages. This will be useful to include in Go GLSAs.
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:25:25 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:33:58 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:41:51 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:50:00 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:05:54 UTC
Package list is empty or all packages have requested keywords.
Comment 14 Larry the Git Cow gentoo-dev 2022-08-04 14:02:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:05:52 UTC
GLSA released, all done!