Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838130 (CVE-2022-24675, CVE-2022-27536, CVE-2022-28327) - <dev-lang/go-{1.17.9, 1.18.1}: multiple vulnerabilities
Summary: <dev-lang/go-{1.17.9, 1.18.1}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-24675, CVE-2022-27536, CVE-2022-28327
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
: 839684 (view as bug list)
Depends on: 839012
Blocks:
  Show dependency tree
 
Reported: 2022-04-13 03:03 UTC by Sam James
Modified: 2022-08-04 14:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 03:03:29 UTC
We have just released Go versions 1.18.1 and 1.17.9, minor point releases.

These minor releases include three security fixes following the security policy:
encoding/pem: fix stack overflow in Decode

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

Thanks to Juho Nurminen of Mattermost who reported the error.

This is CVE-2022-24675 and https://go.dev/issue/51853.
crypto/elliptic: tolerate all oversized scalars in generic P-256

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

This was discovered thanks to a Project Wycheproof test vector.

This is CVE-2022-28327 and https://go.dev/issue/52075.
crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18

Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS.

These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.

Thanks to Tailscale for doing weird things and finding this.

This is CVE-2022-27536 and https://go.dev/issue/51759.
Comment 1 Larry the Git Cow gentoo-dev 2022-04-13 15:16:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=523a34ecb8b9f0f7f93af316c902a0128480044e

commit 523a34ecb8b9f0f7f93af316c902a0128480044e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-04-13 15:15:32 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-04-13 15:15:43 +0000

    dev-lang/go: drop 1.18
    
    Bug: https://bugs.gentoo.org/838130
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest       |   1 -
 dev-lang/go/go-1.18.ebuild | 196 ---------------------------------------------
 2 files changed, 197 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afc9f3f7af49f852b1cd7460999519a086b512d9

commit afc9f3f7af49f852b1cd7460999519a086b512d9
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-04-13 15:13:22 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-04-13 15:15:42 +0000

    dev-lang/go: add 1.17.9, 1.18.1
    
    Bug: https://bugs.gentoo.org/838130
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   2 +
 dev-lang/go/go-1.17.9.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.18.1.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 394 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 15:24:49 UTC
Thanks! Please stable when ready.
Comment 3 filip ambroz 2022-04-20 12:35:04 UTC
*** Bug 839684 has been marked as a duplicate of this bug. ***
Comment 4 Larry the Git Cow gentoo-dev 2022-08-04 14:02:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:12:19 UTC
GLSA released, all done!