Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 821859 (CVE-2021-41771, CVE-2021-41772) - <dev-lang/go-1.17.3: Multiple vulnerabilities (CVE-2021,{41771,41772})
Summary: <dev-lang/go-1.17.3: Multiple vulnerabilities (CVE-2021,{41771,41772})
Status: IN_PROGRESS
Alias: CVE-2021-41771, CVE-2021-41772
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords: PullRequest
: 824590 (view as bug list)
Depends on: 827857
Blocks:
  Show dependency tree
 
Reported: 2021-11-04 22:39 UTC by Sam James
Modified: 2021-12-16 10:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-04 22:39:57 UTC
* CVE-2021-41771

```
debug/macho: invalid dynamic symbol table command can cause panic

Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue

This is CVE-2021-41771 and Go issue golang.org/issue/48990.
```

* CVE-2021-41772 

```
archive/zip: don't panic on (*Reader).Open

Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument.

Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue.

This is CVE-2021-41772 and Go issue golang.org/issue/48085.
```
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-18 21:40:06 UTC
*** Bug 824590 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2021-11-29 18:50:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b45593a7ff5827c7382d4132be1b981241ef80e2

commit b45593a7ff5827c7382d4132be1b981241ef80e2
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-11-29 18:33:02 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-11-29 18:49:56 +0000

    dev-lang/go: 1.17.3 bump
    
    Bug: https://bugs.gentoo.org/821859
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.3.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-16 10:38:17 UTC
Tree clean already.