Bug 25616

Summary: golang new security issue CVE-2019-17596
Product: Mageia Reporter: Zombie Ryushu <zombie.ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, joequant, luigiwalser, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://linuxsecurity.com/advisories/debian/debian-dsa-4551-1-golang-1-11-security-update-17-09-14
Whiteboard: MGA7-64-OK
Source RPM: golang-1.12.8-1.mga7.src.rpm CVE:
Status comment:

Description Zombie Ryushu 2019-10-26 00:15:07 CEST 
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4551-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 25, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : golang-1.11
CVE ID         : CVE-2019-17596

Daniel Mandragona discovered that invalid DSA public keys can cause a
panic in dsa.Verify(), resulting in denial of service.

For the stable distribution (buster), this problem has been fixed in
version 1.11.6-1+deb10u3.

We recommend that you upgrade your golang-1.11 packages.

For the detailed security status of golang-1.11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
Jani Välimaa 2019-10-26 15:04:15 CEST

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 1 Lewis Smith 2019-10-26 20:31:46 CEST 
Note: this alert is for golang-1.11; we have golang-1.12 . Is this valid?

Assigning to joquant as registered maintainer for golang, in case it is.
CC DavidW for security bug.

Source RPM: golang => golang-1.12.8-1.mga7.src.rpm
Assignee: bugsquad => joequant
CC: (none) => luigiwalser

Comment 2 David Walser 2019-10-27 17:03:29 CET 
Zombie, please provide a link to the advisory and don't copy and paste the text.

Lewis, I am the security group, so I already get the e-mails.  You don't need to CC me.
Comment 3 David Walser 2019-10-27 17:22:09 CET 
Advisory link from October 25:
https://www.debian.org/security/2019/dsa-4551

The issue is fixed upstream in 1.12.11 and 1.13.2:
https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ

Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
Summary: golang-1.11 security update (CVE-2019-17596) => golang new security issue CVE-2019-17596

David Walser 2019-10-27 17:22:40 CET

Assignee: joequant => bruno
CC: (none) => joequant

Comment 4 Bruno Cornec 2019-10-28 23:53:55 CET 
golang 1.13.2 pushed to cauldron

Status: NEW => ASSIGNED

Comment 5 Bruno Cornec 2019-10-29 00:10:40 CET 
upstream golang 1.12.11 pushed to mga7 updates_testing

Assignee: bruno => qa-bugs

Comment 6 David Walser 2019-10-29 03:26:05 CET 
Advisory:
========================

Updated golang packages fix security vulnerability:

Daniel Mandragona discovered that invalid DSA public keys can cause a panic in
dsa.Verify(), resulting in denial of service (CVE-2019-17596).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596
https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
https://www.debian.org/security/2019/dsa-4551
========================

Updated packages in core/updates_testing:
========================
golang-1.12.11-1.mga7
golang-docs-1.12.11-1.mga7
golang-misc-1.12.11-1.mga7
golang-tests-1.12.11-1.mga7
golang-src-1.12.11-1.mga7
golang-bin-1.12.11-1.mga7
golang-shared-1.12.11-1.mga7

from golang-1.12.11-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
CC: (none) => bruno
Version: Cauldron => 7

Comment 7 Len Lawrence 2019-10-30 19:17:03 CET 
Mageia7, x86_64

No proofs of concept found for the CVEs.
Updated golang from version 1.12.8 to 1.12.11, seven packages.

Ran exactly the same tests as in bug #25372 including the simple reverse string test.
Building docker is recommended as a test of the compiler:

<Thanks to David Walser for this procedure>

$ magarepo co -d 7 docker
$ cd docker
$ ls
SOURCES/  SPECS/
$ bm -ls
creating package list
processing package docker-%{moby_version}-%mkrel 1
building source package
warning: Macro expanded in comment on line 40: %{shortcommit}

Wrote: /data/qa/golang/docker/SRPMS/docker-18.09.8-1.mga7.src.rpm
succeeded!
$ ls
BUILD/  BUILDROOT/  RPMS/  SOURCES/  SPECS/  SRPMS/
$ sudo urpmi --buildrequires SPECS/docker.spec
<Thanks Stig>
In order to satisfy the 'go-md2man' dependency, one of the following packages is needed:
 1- go-md2man-1.0.8-1.mga7.x86_64: Transform md into man pages (to install)
 2- golang-github-cpuguy83-go-md2man-1.0.8-1.mga7.x86_64: Process markdown into manpages (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  go-md2man                      1.0.8        1.mga7        x86_64  
  golang-net-devel               0.1.git84a4> 9.mga7        x86_64  
  lib64sqlite3-devel             3.28.0       1.mga7        x86_64  
  lib64xcrypt-static-devel       4.4.6        1.mga7        x86_64  
(medium "Core Updates (distrib3)")
  glibc-static-devel             2.29         16.mga7       x86_64  
  lib64btrfs-devel               5.2.2        1.mga7        x86_64  
  lib64devmapper-devel           1.02.154     1.1.mga7      x86_64  
76MB of additional disk space will be used.
32MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) 
[...]
$ bm -l
[...]
Wrote: /data/qa/golang/docker/SRPMS/docker-18.09.8-1.mga7.src.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-devel-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-fish-completion-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-logrotate-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-unit-test-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-vim-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-zsh-completion-18.09.8-1.mga7.x86_64.rpm
Wrote: /data/qa/golang/docker/RPMS/x86_64/docker-nano-18.09.8-1.mga7.x86_64.rpm
Executing(%clean): /bin/sh -e /data/qa/golang/docker/BUILDROOT/rpm-tmp.OULnLG
+ umask 022
+ cd /data/qa/golang/docker/BUILD
+ cd docker-ce-18.09.8
+ /usr/bin/rm -rf /data/qa/golang/docker/BUILDROOT/docker-18.09.8-1.mga7.x86_64
+ exit 0
succeeded!

OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2019-10-30 22:06:18 CET 
Looks good enough to me, Len. Validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-11-02 16:15:16 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2019-11-02 17:56:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0310.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2019-12-03 21:24:09 CET 
This update also fixed CVE-2019-16276 (fixed in 1.12.10):
https://lists.opensuse.org/opensuse-updates/2019-11/msg00099.html