Bug 30709

Summary: golang new security issue CVE-2022-32189
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-1.18.4-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-08-04 19:17:34 CEST 
SUSE has issued advisories today (August 4):
https://lists.suse.com/pipermail/sle-security-updates/2022-August/011802.html
https://lists.suse.com/pipermail/sle-security-updates/2022-August/011804.html

The issue is fixed upstream in 1.17.13 and 1.18.5:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

Mageia 8 is also affected.
David Walser 2022-08-04 19:17:50 CEST

Status comment: (none) => Fixed upstream in 1.17.13 and 1.18.5
Whiteboard: (none) => MGA8TOO

Comment 2 David Walser 2022-08-05 04:46:01 CEST 
Updated packages uploaded for Mageia 8 and Cauldron by Bruno.

golang-tests-1.17.13-1.mga8
golang-1.17.13-1.mga8
golang-misc-1.17.13-1.mga8
golang-docs-1.17.13-1.mga8
golang-src-1.17.13-1.mga8
golang-shared-1.17.13-1.mga8
golang-bin-1.17.13-1.mga8

from golang-1.17.13-1.mga8.src.rpm

CC: (none) => bruno
Assignee: bruno => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 1.17.13 and 1.18.5 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2022-08-05 11:23:11 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Copied /usr/lib/golang/lib the time folder (installed by golang-tests package) into own folder on my home turf. Checked that the update.bash runs the go command and run the bash file
$ ./update.bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100  256k  100  256k    0     0   102k      0  0:00:02  0:00:02 --:--:--  326k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  402k  100  402k    0     0   319k      0  0:00:01  0:00:01 --:--:-- 2222k
VERSION=`cat version` && printf '%s\n' \
          'static char const PKGVERSION[]="(tzcode) ";' \
          "static char const TZVERSION[]=\"$VERSION\";" \
          'static char const REPORT_BUGS_TO[]="tz@iana.org";' \
          >version.h.out
mv version.h.out version.h
cc -DTZDIR='"zoneinfo"' -DSTD_INSPIRED   -c -o zic.o zic.c
cc -DTZDIR='"zoneinfo"' -o zic -DSTD_INSPIRED  zic.o 
awk -v DATAFORM=`expr main.zi : '\(.*\).zi'` -f ziguard.awk \
          africa antarctica asia australasia europe northamerica southamerica etcetera factory backward  >main.zi.out
mv main.zi.out main.zi
version=`sed 1q version` && \
          LC_ALL=C awk \
            -v dataform='main' \
            -v deps='ziguard.awk africa antarctica asia australasia europe northamerica southamerica etcetera factory backward  zishrink.awk' \
            -v redo='posix_right' \
            -v version="$version" \
            -f zishrink.awk \
            main.zi >tzdata.zi.out
mv tzdata.zi.out tzdata.zi
make BACKWARD='backward' DESTDIR='' LEAPSECONDS='' PACKRATDATA='' TZDEFAULT='/etc/localtime' TZDIR='zoneinfo' ZIC='./zic ' LEAPSECONDS= install_data
make[1]: Entering directory '/home/tester8/Documents/golang/time/work'
./zic  -d 'zoneinfo'  tzdata.zi
make[1]: Leaving directory '/home/tester8/Documents/golang/time/work'
  adding: Africa/ (stored 0%)
  adding: Africa/Kinshasa (stored 0%)
  adding: Africa/Kampala (stored 0%)
etc .....
at the end
open zipdata.go: permission denied
exit status 1
/usr/lib/golang/src/time/tzdata/tzdata.go:5: running "go": exit status 1
Meaning I should be able to run in /usr/lib/golang/src/time/tzdata/, but I don't have the necessary access rights there.
Anyway a whole structure has been generated apparently successfully in /home/tester8/Documents/golang/time/work/
so the go command did its work OK.
OK'ing unless someone has objections.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-08-07 15:41:00 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 David Walser 2022-08-12 18:53:42 CEST 
Fedora has issued an advisory for this today (August 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UH4RHZUO6LPJKGF2UZSD2UZOCIGHUI5E/
Dave Hodgins 2022-08-12 22:13:42 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-13 04:33:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0283.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED