Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816912 (CVE-2021-38297) - <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)
Summary: <dev-lang/go-1.17.2: Module overwrite with GOARCH=wasm (CVE-2021-38297)
Alias: CVE-2021-38297
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa?]
Depends on: 817902
  Show dependency tree
Reported: 2021-10-08 02:34 UTC by Sam James
Modified: 2021-12-15 21:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-08 02:34:50 UTC

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in after rebuilding any modules.

This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-11 05:54:56 UTC
Comment 2 Larry the Git Cow gentoo-dev 2021-10-12 21:40:24 UTC
The bug has been referenced in the following commit(s):

commit 19335011ed7ba62e12ca1fa94fb0da3a28e1160e
Author:     William Hubbs <>
AuthorDate: 2021-10-12 21:39:36 +0000
Commit:     William Hubbs <>
CommitDate: 2021-10-12 21:40:16 +0000

    dev-lang/go: 1.17.2 bump
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 12:39:03 UTC
Please cleanup
Comment 4 William Hubbs gentoo-dev 2021-12-15 18:11:18 UTC
The only version of go in the tree at this point is 1.17.5.