Bug 31267

Summary: golang new security issue CVE-2022-41717
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-1.18.8-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-12-12 16:39:54 CET 
SUSE has issued advisories on December 9:
https://lists.suse.com/pipermail/sle-security-updates/2022-December/013213.html
https://lists.suse.com/pipermail/sle-security-updates/2022-December/013214.html

The issues are fixed upstream in 1.18.9 and 1.19.4:
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU

Mageia 8 is also affected.
David Walser 2022-12-12 16:40:25 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.18.9 and 1.19.4

Bruno Cornec 2022-12-12 17:37:37 CET

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2022-12-12 17:54:38 CET 
1.19.4 pushed to cauldron
Comment 3 Bruno Cornec 2022-12-12 18:10:25 CET 
1.18.9 pushed to mga8 updates_testing

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.18.9 and 1.19.4 => (none)
Assignee: bruno => qa-bugs

Comment 4 David Walser 2022-12-13 01:08:16 CET 
golang-tests-1.18.9-1.mga8
golang-1.18.9-1.mga8
golang-misc-1.18.9-1.mga8
golang-docs-1.18.9-1.mga8
golang-src-1.18.9-1.mga8
golang-shared-1.18.9-1.mga8
golang-bin-1.18.9-1.mga8

from golang-1.18.9-1.mga8.src.rpm

Source RPM: golang-1.19.3-1.mga9.src.rpm, golang-1.18.8-1.mga8.src.rpm => golang-1.18.8-1.mga8.src.rpm

Comment 5 Len Lawrence 2022-12-13 12:31:30 CET 
Mageia8, x86_64
Updated the seven packages: qarepo, drakrpm-update.
Ran the docker build test.
$ mgarepo co docker
$ cd docker
$ bm -s
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source package
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
$ bm
creating package list
processing package %{origname}-%{moby_version}-%mkrel 1
building source and binary packages
error: failed!

Restarted from scratch in order to pinpoint the error:
error: Bad exit status from /home/lcl/docker/BUILDROOT/rpm-tmp.4vNuzQ (%build)
RPM build errors:
    Macro expanded in comment on line 43: %{shortcommit_moby}

    line 120: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
    line 122: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
    Bad exit status from /home/lcl/docker/BUILDROOT/rpm-tmp.4vNuzQ (%build)
error: failed!

Possibly the same point at which the previous golang candidate failed.

Falling back to Herman's last test.
Copied the contents of /usr/lib/golang/src/time/tzdata to a local directory and modified ownership and executable properties of the three files.
$ /usr/lib/golang/lib/time/update.bash
This generated a lot of data but finished with:
open zipdata.go: permission denied
exit status 1
Changed the permissions on zipdata.go and ran the command under sudo.
$ sudo chmod 1755 zipdata.go
$ ll zipdata.go
--rwxr-xr-t 1 lcl  lcl  1412372 Dec 13 11:10 zipdata.go*

$ sudo /usr/lib/golang/lib/time/update.bash
[...]
  adding: Zulu (stored 0%)

New time zone files in zoneinfo.zip.
$ ll zoneinfo.zip
-rw-r--r-- 1 root root 425837 Dec 13 11:20 zoneinfo.zip
Messy, but it worked.

Passing this.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2022-12-15 20:54:37 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-17 18:31:44 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-12-17 19:49:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0473.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED