Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 862822 (CVE-2022-32189) - <dev-lang/go-{1.17.13,1.18.5}: panic in decoding big.Float, big.Rat
Summary: <dev-lang/go-{1.17.13,1.18.5}: panic in decoding big.Float, big.Rat
Status: RESOLVED FIXED
Alias: CVE-2022-32189
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/g/golang-an...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 862870
Blocks:
  Show dependency tree
 
Reported: 2022-08-01 15:48 UTC by John Helmert III
Modified: 2022-08-04 14:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 15:48:23 UTC
"encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871."
Comment 1 Larry the Git Cow gentoo-dev 2022-08-01 22:45:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f195e9ec7b78b80641434a96114feee8adfe0f08

commit f195e9ec7b78b80641434a96114feee8adfe0f08
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-08-01 22:43:48 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-08-01 22:45:00 +0000

    dev-lang/go: add 1.17.13, 1.18.5
    
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.17.13.ebuild | 196 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.18.5.ebuild  | 196 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 394 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-08-04 00:23:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a465470f12c3b436c0b7d7ee75d0cec36c6bdc68

commit a465470f12c3b436c0b7d7ee75d0cec36c6bdc68
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-08-04 00:23:02 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-08-04 00:23:02 +0000

    dev-lang/go: drop 1.18.4
    
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.18.4.ebuild | 196 -------------------------------------------
 2 files changed, 197 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 04:33:12 UTC
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2022-08-04 14:02:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:14:41 UTC
GLSA released, all done!