Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816912 (CVE-2021-38297) - <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)
Summary: <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)
Status: IN_PROGRESS
Alias: CVE-2021-38297
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 817902
Blocks:
  Show dependency tree
 
Reported: 2021-10-08 02:34 UTC by Sam James
Modified: 2021-12-15 21:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-08 02:34:50 UTC
Description:

```
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.

This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-11 05:54:56 UTC
ping
Comment 2 Larry the Git Cow gentoo-dev 2021-10-12 21:40:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19335011ed7ba62e12ca1fa94fb0da3a28e1160e

commit 19335011ed7ba62e12ca1fa94fb0da3a28e1160e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-10-12 21:39:36 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-10-12 21:40:16 +0000

    dev-lang/go: 1.17.2 bump
    
    Bug: https://bugs.gentoo.org/816912
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 12:39:03 UTC
Please cleanup
Comment 4 William Hubbs gentoo-dev 2021-12-15 18:11:18 UTC
The only version of go in the tree at this point is 1.17.5.