Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833156 (CVE-2022-23772, CVE-2022-23773, CVE-2022-23806) - <dev-lang/go-1.17.7: multiple vulnerabilities
Summary: <dev-lang/go-1.17.7: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-23772, CVE-2022-23773, CVE-2022-23806
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/g/golang-an...
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on: 833200
Blocks:
  Show dependency tree
 
Reported: 2022-02-12 03:59 UTC by John Helmert III
Modified: 2022-02-15 22:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:59:03 UTC 
CVE-2022-23772:

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

CVE-2022-23773:

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

CVE-2022-23806:

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Please bump to Go 1.17.7.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 17:34:39 UTC 
Please stabilize 1.17.7.

commit d0147235053078b6f9987a56239099c077282fbc
Author: William Hubbs <williamh@gentoo.org>
Date:   Fri Feb 11 10:08:11 2022 -0600

    dev-lang/go: 1.17.7 bump

    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-15 22:22:50 UTC 
Please cleanup