828655 – (CVE-2021-44716, CVE-2021-44717) <dev-lang/go-1.17.5: Multiple vulnerabilities (CVE-2021-{44716,44717})

Bug 828655 (CVE-2021-44716, CVE-2021-44717) - <dev-lang/go-1.17.5: Multiple vulnerabilities (CVE-2021-{44716,44717})

Summary: <dev-lang/go-1.17.5: Multiple vulnerabilities (CVE-2021-{44716,44717})

Status:	RESOLVED FIXED

Alias:	CVE-2021-44716, CVE-2021-44717

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	828877
Blocks:
	Show dependency tree

Reported:	2021-12-10 01:13 UTC by Sam James
Modified:	2022-08-04 14:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-12-10 01:13:09 UTC

* CVE-2021-44716

"net/http: limit growth of header canonicalization cache

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.

This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2.

Thank you to murakmii for reporting this issue.

This is CVE-2021-44716 and Go issue go.dev/issue/50058."

* CVE-2021-44717

"syscall: don’t close fd 0 on ForkExec error

When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

Thank you to Tomasz Maczukin and Kamil Trzciński of GitLab for reporting this issue.

This is CVE-2021-44717 and Go issue go.dev/issue/50057."

Comment 1 Sam James archtester

2021-12-10 01:13:31 UTC

Please bump to 1.17.5.

Comment 2 Larry the Git Cow gentoo-dev

2021-12-10 22:46:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f53542dc5c463dab1ea1f3b761cf68fb0b71437

commit 5f53542dc5c463dab1ea1f3b761cf68fb0b71437
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-12-10 22:46:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-12-10 22:46:41 +0000

    dev-lang/go: 1.17.5 bump
    
    Bug: https://bugs.gentoo.org/828655
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.5.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

Comment 3 John Helmert III archtester

2021-12-10 23:55:51 UTC

Please stabilize when ready.

Comment 4 Larry the Git Cow gentoo-dev

2021-12-15 15:39:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee5f1f74a5ccf445fc871b342fae19bf478a7a48

commit ee5f1f74a5ccf445fc871b342fae19bf478a7a48
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-12-15 15:38:31 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-12-15 15:38:47 +0000

    dev-lang/go: remove 1.17.2 and 1.17.3
    
    Bug: https://bugs.gentoo.org/828655
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   2 -
 dev-lang/go/go-1.17.2.ebuild | 197 -------------------------------------------
 dev-lang/go/go-1.17.3.ebuild | 197 -------------------------------------------
 3 files changed, 396 deletions(-)

Comment 5 John Helmert III archtester

2021-12-15 21:32:19 UTC

Thank you!

Comment 6 Larry the Git Cow gentoo-dev

2022-08-04 14:02:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 7 John Helmert III archtester

2022-08-04 14:06:12 UTC

GLSA released, all done!