Bug 30362

openSUSE has issued an advisory on April 26:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6F72F4XQADWZ2XEWVPBHNKW46B6FKIXL/

joequant updated cauldron.
I did the proposal of update for mga8:
SRPMS/golang-1.17.9-1.mga8.src.rpm

CC: (none) => bruno
Whiteboard: MGA8TOO => (none)
Assignee: bruno => qa-bugs
Version: Cauldron => 8
Status: NEW => ASSIGNED

golang-tests-1.17.9-1.mga8
golang-1.17.9-1.mga8
golang-misc-1.17.9-1.mga8
golang-docs-1.17.9-1.mga8
golang-src-1.17.9-1.mga8
golang-shared-1.17.9-1.mga8
golang-bin-1.17.9-1.mga8

from golang-1.17.9-1.mga8.src.rpm

Status comment: Fixed upstream in 1.17.9 => (none)

mga8, x64.
On update, something about a missing signature, but it was possible to install all of the packages and build docker as a test.
$ mgarepo co docker
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
<Pulled in 49 packages>
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 3
building source and binary packages
succeeded!
$ ls RPMS/x86_64
docker-20.10.14-3.mga8.x86_64.rpm
docker-devel-20.10.14-3.mga8.x86_64.rpm
docker-fish-completion-20.10.14-3.mga8.x86_64.rpm
docker-logrotate-20.10.14-3.mga8.x86_64.rpm
docker-nano-20.10.14-3.mga8.x86_64.rpm
docker-zsh-completion-20.10.14-3.mga8.x86_64.rpm

As reliable as ever but the initial error needs to be captured.
Shall check that on another machine.

CC: (none) => tarazed25

The following packages have bad signatures:
/var/cache/urpmi/rpms/golang-misc-1.17.9-1.mga8.noarch.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/golang-src-1.17.9-1.mga8.noarch.rpm: Missing signature (OK ((none)))

CC: (none) => davidwhodgins

Beat me to it.

I have no idea why the packages have not all been signed correctly, but this is outside of what I can fix ;-) This is unrelated to the issue here.

Let's assume that won't happen when packages are move to updates after validation.

We may need a sysadmin to delete and resubmit it.

CC: (none) => sysadmin-bugs

Tried the suggestion to use `urpmi --clean` and reverted to golang-1.17.8-1.
Tried again and hit the same two missing certificates.

So comment 8 still applies.

Deleted and resubmitted to the build system.  Should get signed properly this time.

Keywords: feedback => (none)

Thanks David.
Repeated the update starting with qarepo.  The installation succeeded without any error messages.

Not strictly necessary to repeat the docker rebuild but did it anyway.
No problems.

Whiteboard: (none) => MGA8-64-OK

Validating.

CC: (none) => andrewsfarm
Keywords: (none) => validated_update

CVE-2022-27536 appears to be for mac os only, so I've excluded it from the advisory.

Advisory committed to svn as ...
type: security
subject: Updated golang packages fix security vulnerability
CVE:
 - CVE-2022-24675
 - CVE-2022-28327
src:
  8:
   core:
     - golang-1.17.9-1.mga8
description: |
  encoding/pem: fix stack overflow in Decode. A large (more than 5 MB) PEM
  input can cause a stack overflow in Decode, leading the program to crash
  (CVE-2022-24675)

  crypto/elliptic: tolerate all oversized scalars in generic P-256.  A
  crafted scalar input longer than 32 bytes can cause P256().ScalarMult
  or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
  crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
  (CVE-2022-28327)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30362
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6F72F4XQADWZ2XEWVPBHNKW46B6FKIXL/

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0171.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED