816912 – (CVE-2021-38297) <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)

Bug 816912 (CVE-2021-38297) - <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)

Summary: <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)

Status:	RESOLVED FIXED

Alias:	CVE-2021-38297

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:	817902
Blocks:
	Show dependency tree

Reported:	2021-10-08 02:34 UTC by Sam James
Modified:	2022-08-04 14:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-10-08 02:34:50 UTC

Description:

```
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.

This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
```

Comment 1 Sam James archtester

2021-10-11 05:54:56 UTC

ping

Comment 2 Larry the Git Cow gentoo-dev

2021-10-12 21:40:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19335011ed7ba62e12ca1fa94fb0da3a28e1160e

commit 19335011ed7ba62e12ca1fa94fb0da3a28e1160e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-10-12 21:39:36 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-10-12 21:40:16 +0000

    dev-lang/go: 1.17.2 bump
    
    Bug: https://bugs.gentoo.org/816912
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

Comment 3 John Helmert III archtester

2021-10-17 12:39:03 UTC

Please cleanup

Comment 4 William Hubbs gentoo-dev

2021-12-15 18:11:18 UTC

The only version of go in the tree at this point is 1.17.5.

Comment 5 Larry the Git Cow gentoo-dev

2022-08-04 14:02:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 6 John Helmert III archtester

2022-08-04 14:12:06 UTC

GLSA released, all done!