| Summary: | golang new security issues CVE-2020-2836[267] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-32-OK MGA7-64-OK | ||
| Source RPM: | golang-1.13.15-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-11-23 16:56:55 CET
David Walser
2020-11-23 16:57:01 CET
Whiteboard:
(none) =>
MGA7TOO SUSE has issued advisories on November 19: https://lists.suse.com/pipermail/sle-security-updates/2020-November/007807.html https://lists.suse.com/pipermail/sle-security-updates/2020-November/007806.html It fixes two more issues also fixed in the same upstream versions. Summary:
golang new security issue CVE-2020-28367 =>
golang new security issues CVE-2020-2836[267] Fedora has issued an advisory for this today (November 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/ Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
joequant
David Walser
2020-11-25 20:32:15 CET
CC:
(none) =>
bruno
Joseph Wang
2020-11-26 05:58:27 CET
Status:
NEW =>
ASSIGNED submitted 1.15 to caudron, new version of 1.13 had not been submitted golang-1.15.5-1.mga8 uploaded for Cauldron. For Mageia 7, we'll have to backport a patch. Whiteboard:
MGA7TOO =>
(none) openSUSE has issued an advisory for this on November 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IQVUQXAVUQCNNOSHNTQGRCAEYALRL2NA/ Mageia 7 has go 1.13 which is NOT vulnerable to this issue per https://github.com/golang/go/issues/42552 Status:
ASSIGNED =>
RESOLVED Incorrect. Resolution:
INVALID =>
(none) There's three CVEs here, and upstream only says that 1.13 is not supported, not that it's not affected. In the link I mentionned the following is written: "It does look like this vulnerability was introduced by the recursive division algorithm implementation, which appears since go1.14beta. This issue could be limited to golang versions > 1.14, but it would be good to confirm that somehow." And if 1.13 is not supported, we won't get any patch to apply. Hmm, yeah I see that now. We won't get backported patches from upstream, but maybe another distro does it or we do it ourselves. CVE-2020-28366 and CVE-2020-28367 commits are below: https://github.com/golang/go/commit/062e0e5ce6df339dc26732438ad771f73dbf2292 https://github.com/golang/go/commit/da7aa86917811a571e6634b45a457f918b8e6561 I had to tweack the patches (not knowing go) in order to adapt it to our older version, but I think I fixed it. So golang-1.13.15-3.mga7 on its way to updates_testing Assignee:
joequant =>
qa-bugs Nice work. Advisory: ======================== Updated golang packages fix security vulnerabilities: An input validation vulnerability was found in go. From a generated go file (from the cgo tool) it is possible to modify symbols within that object file and specify code instead. An attacker could potentially use this flaw by creating a repository which included malicious pre-built object files that could execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28366). An input validation vulnerability was found in go. If cgo is specified in a go file, it is possible to bypass the validation of arguments to the gcc compiler. An attacker could potentially use this flaw by creating a malicious repository which would execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28367). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28366 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28367 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/ ======================== Updated packages in core/updates_testing: ======================== golang-1.13.15-3.mga7 golang-docs-1.13.15-3.mga7 golang-misc-1.13.15-3.mga7 golang-tests-1.13.15-3.mga7 golang-src-1.13.15-3.mga7 golang-bin-1.13.15-3.mga7 golang-shared-1.13.15-3.mga7 from golang-1.13.15-3.mga7.src.rpm Referenced Bug 26465 for testing procedure: building docker. Used the same 32-bit hardware I used in my tests for that bug, a Dell Inspiron 5100, with a Xfce system. Installed all 7 packages and their dependencies, then updated. No installation issues. Followed Len Lawrence's commands from https://bugs.mageia.org/show_bug.cgi?id=26465#c3 to build docker, eventually ending with the "Succeeded!" message. As this has been an adequate test before, I am giving this a 32-bit OK. I will test the 64-bit packages for installation issues before validating. CC:
(none) =>
andrewsfarm
Thomas Andrews
2021-01-09 02:26:00 CET
Whiteboard:
(none) =>
MGA7-32-OK I decided to do the same test with a 64-bit system, and got the same result. So as far as this test is concerned, it's ready to go. Validating. Advisory in Comment 13. CC:
(none) =>
sysadmin-bugs Advisory pushed to SVN. Keywords:
Triaged =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0018.html Resolution:
(none) =>
FIXED |