Bug 19938

Summary: golang new security issue fixed upstream in 1.6.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, bruno, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/708996/
Whiteboard: advisory MGA5-64-OK mga5-32-ok
Source RPM: golang-1.6.3-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-12-13 13:32:44 CET 
Fedora has issued an advisory on December 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7AFKMHIPFDN2WA6H2U45OW535UPNQEBX/

The issue is fixed in 1.6.4 and there's a link to the upstream patch here:
https://bugzilla.redhat.com/show_bug.cgi?id=1401985

Mageia 5 is also affected.
David Walser 2016-12-13 13:33:10 CET

Whiteboard: (none) => MGA5TOO

David Walser 2016-12-13 20:18:49 CET

URL: (none) => https://lwn.net/Vulnerabilities/708996/

Comment 1 Bruno Cornec 2017-01-02 19:20:02 CET 
1.6.4 doesn't build out of the box. Reported upstream in https://github.com/golang/go/issues/18491

I'll update cauldron to 1.7.4 and cherry pick the fix for 1.6.3 in MGA5.

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2017-01-02 21:20:02 CET 
MGA 5 has a proposed fix with 1.6.4. I have pushed it to updates_testing.

I'll provide that one for cauldron too, while working on a more recent version (but doesn't work out of the box for now)

Assignee: bruno => qa-bugs

Comment 3 David Walser 2017-01-04 00:04:32 CET 
Bruno also added the advisory in SVN (same description as in the RedHat Bugzilla, as seen on the LWN entry).  Thanks Bruno!

CC: (none) => bruno
Version: Cauldron => 5
Whiteboard: MGA5TOO => advisory

Comment 4 Lewis Smith 2017-01-08 13:47:59 CET 
Prior to testing this, had a look at test procedure possibilities in Bug 19102; but need to clarify that before trying to employ it.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2017-01-10 13:23:13 CET 
Testing M5 x64, OK

Following https://bugs.mageia.org/show_bug.cgi?id=19102#c11 using the two simple scripts provided:
 https://bugs.mageia.org/attachment.cgi?id=8444
 https://bugs.mageia.org/attachment.cgi?id=8445
for which many thanks to Len for his groundwork.

BEFORE the update, I installed:
 golang-1.6.3-1.mga5
 golang-bin-1.6.3-1.mga5
 golang-misc-1.6.3-1.mga5
 golang-shared-1.6.3-1.mga5
 golang-src-1.6.3-1.mga5
 golang-tests-1.6.3-1.mga5

 $ go run dup1.go < dup1.go
 5	
 2		}
correctly reports 5 blank lines and two occurrences of "	}".

 $ go test fail_test.go
 --- FAIL: TestErrorreport (0.00s)
 	fail_test.go:6: I'm in a bad mood.
 FAIL
 FAIL	command-line-arguments	0.007s
which is correct.

AFTER seamless update to:
 golang-1.6.4-1.mga5
 golang-bin-1.6.4-1.mga5
 golang-misc-1.6.4-1.mga5
 golang-shared-1.6.4-1.mga5
 golang-src-1.6.4-1.mga5
 golang-tests-1.6.4-1.mga5

the two tests gave the same output as previously. Update deemed OK.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 6 Brian Rockwell 2017-01-13 15:46:38 CET 
$ uname -a
Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux

To satisfy dependencies, the following package(s) also need to be installed:

- gcc-4.9.2-4.1.mga5.i586
- gcc-cpp-4.9.2-4.1.mga5.i586
- golang-bin-1.6.4-1.mga5.i586
- golang-src-1.6.4-1.mga5.noarch
- libmpc3-1.0.2-4.mga5.i586


I repeated Lewis' tests and experienced the same results

This is ready to go 32-bit

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK mga5-32-ok
CC: (none) => brtians1, sysadmin-bugs

Comment 7 Mageia Robot 2017-01-14 22:06:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0019.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED