766216 – (CVE-2021-3114, CVE-2021-3115) <dev-lang/go-{1.14.14,1.15.7}: multiple vulnerabilities (CVE-2021-{3114,3115})

Bug 766216 (CVE-2021-3114, CVE-2021-3115) - <dev-lang/go-{1.14.14,1.15.7}: multiple vulnerabilities (CVE-2021-{3114,3115})

Summary: <dev-lang/go-{1.14.14,1.15.7}: multiple vulnerabilities (CVE-2021-{3114,3115})

Status:	RESOLVED FIXED

Alias:	CVE-2021-3114, CVE-2021-3115

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo Security

URL:	https://groups.google.com/g/golang-an...
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-01-19 23:49 UTC by John Helmert III
Modified:	2022-08-04 14:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-01-19 23:49:34 UTC

CVE-2021-3115 (golang.org/issue/43783):

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running “go get”, or any other command that builds code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security.


CVE-2021-3114 (golang.org/issue/43786):

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).


Fixed in 1.14.14 and 1.15.7. Please bump

Comment 1 William Hubbs gentoo-dev

2021-01-21 15:52:16 UTC

These are in the tree.

Comment 2 Larry the Git Cow gentoo-dev

2021-01-21 15:57:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec2e47baa4227a13f55d6499312aaff571964b18

commit ec2e47baa4227a13f55d6499312aaff571964b18
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-21 15:54:42 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-21 15:57:17 +0000

    dev-lang/go: stable 1.14.14 and 1.15.7 on amd64
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.14.14.ebuild | 2 +-
 dev-lang/go/go-1.15.7.ebuild  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comment 3 Sam James archtester

2021-01-22 01:49:44 UTC

x86 done

Comment 4 Sam James archtester

2021-01-23 05:55:50 UTC

arm64 done

Comment 5 Sam James archtester

2021-01-24 04:54:23 UTC

ppc64 done

Comment 6 Sam James archtester

2021-01-27 22:46:14 UTC

arm done

all arches done

Comment 7 John Helmert III archtester

2021-01-27 22:50:22 UTC

Please cleanup.

Comment 8 Larry the Git Cow gentoo-dev

2021-01-28 00:20:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f94a9c778deffc13c4bcb9ec27d5cf90c19c1b5e

commit f94a9c778deffc13c4bcb9ec27d5cf90c19c1b5e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-28 00:17:12 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-28 00:17:41 +0000

    dev-lang/go: remove 1.14.13-r1 and 1.15.6-r1
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.14.13-r1.ebuild | 197 ---------------------------------------
 dev-lang/go/go-1.15.6-r1.ebuild  | 197 ---------------------------------------
 2 files changed, 394 deletions(-)

Comment 9 Larry the Git Cow gentoo-dev

2021-01-28 00:22:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=220629a3e1e453af234c61605a6c4ea2ff44d840

commit 220629a3e1e453af234c61605a6c4ea2ff44d840
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-28 00:21:23 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-28 00:21:56 +0000

    dev-lang/go: fix manifest
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest | 2 --
 1 file changed, 2 deletions(-)

Comment 10 Sam James archtester

2021-01-28 02:19:27 UTC

Added to existing GLSA request.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:24:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:32:55 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:40:46 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:48:57 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 18:04:52 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 18:13:10 UTC

Package list is empty or all packages have requested keywords.

Comment 17 Larry the Git Cow gentoo-dev

2022-08-04 14:02:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 18 John Helmert III archtester

2022-08-04 14:15:06 UTC

GLSA released, all done!