Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766216 (CVE-2021-3114, CVE-2021-3115) - <dev-lang/go-{1.14.14,1.15.7}: multiple vulnerabilities (CVE-2021-{3114,3115})
Summary: <dev-lang/go-{1.14.14,1.15.7}: multiple vulnerabilities (CVE-2021-{3114,3115})
Status: IN_PROGRESS
Alias: CVE-2021-3114, CVE-2021-3115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/g/golang-an...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-19 23:49 UTC by John Helmert III
Modified: 2021-07-29 18:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-01-19 23:49:34 UTC
CVE-2021-3115 (golang.org/issue/43783):

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running “go get”, or any other command that builds code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security.


CVE-2021-3114 (golang.org/issue/43786):

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).


Fixed in 1.14.14 and 1.15.7. Please bump
Comment 1 William Hubbs gentoo-dev 2021-01-21 15:52:16 UTC
These are in the tree.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-21 15:57:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec2e47baa4227a13f55d6499312aaff571964b18

commit ec2e47baa4227a13f55d6499312aaff571964b18
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-21 15:54:42 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-21 15:57:17 +0000

    dev-lang/go: stable 1.14.14 and 1.15.7 on amd64
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.14.14.ebuild | 2 +-
 dev-lang/go/go-1.15.7.ebuild  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 3 Sam James archtester gentoo-dev Security 2021-01-22 01:49:44 UTC
x86 done
Comment 4 Sam James archtester gentoo-dev Security 2021-01-23 05:55:50 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-01-24 04:54:23 UTC
ppc64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-01-27 22:46:14 UTC
arm done

all arches done
Comment 7 John Helmert III gentoo-dev Security 2021-01-27 22:50:22 UTC
Please cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2021-01-28 00:20:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f94a9c778deffc13c4bcb9ec27d5cf90c19c1b5e

commit f94a9c778deffc13c4bcb9ec27d5cf90c19c1b5e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-28 00:17:12 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-28 00:17:41 +0000

    dev-lang/go: remove 1.14.13-r1 and 1.15.6-r1
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.14.13-r1.ebuild | 197 ---------------------------------------
 dev-lang/go/go-1.15.6-r1.ebuild  | 197 ---------------------------------------
 2 files changed, 394 deletions(-)
Comment 9 Larry the Git Cow gentoo-dev 2021-01-28 00:22:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=220629a3e1e453af234c61605a6c4ea2ff44d840

commit 220629a3e1e453af234c61605a6c4ea2ff44d840
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-01-28 00:21:23 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-01-28 00:21:56 +0000

    dev-lang/go: fix manifest
    
    Bug: https://bugs.gentoo.org/766216
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest | 2 --
 1 file changed, 2 deletions(-)
Comment 10 Sam James archtester gentoo-dev Security 2021-01-28 02:19:27 UTC
Added to existing GLSA request.
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:24:25 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:32:55 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:40:46 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:48:57 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:04:52 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:13:10 UTC
Package list is empty or all packages have requested keywords.