Bug 33269

Summary: golang new security issues CVE-2024-24789, CVE-2024-24790
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: golang-1.21.10-1.mga9.src.rpm CVE: CVE-2024-24789, CVE-2024-24790
Status comment:

Description Nicolas Salguero 2024-06-05 15:01:21 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/06/04/1

For Cauldron, 1.22.4 is already built.
Nicolas Salguero 2024-06-05 15:01:59 CEST

CVE: (none) => CVE-2024-24789, CVE-2024-24790
Status comment: (none) => Fixed upstream in 1.21.11
Source RPM: (none) => golang-1.21.10-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-06-13 13:44:06 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. (CVE-2024-24789)

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. (CVE-2024-24790)

References:
https://www.openwall.com/lists/oss-security/2024/06/04/1
========================

Updated packages in core/updates_testing:
========================
golang-1.21.11-1.mga9
golang-bin-1.21.11-1.mga9
golang-docs-1.21.11-1.mga9
golang-misc-1.21.11-1.mga9
golang-shared-1.21.11-1.mga9
golang-src-1.21.11-1.mga9
golang-tests-1.21.11-1.mga9

from SRPM:
golang-1.21.11-1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.21.11 => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-06-13 19:53:34 CEST

Keywords: (none) => advisory

Comment 2 Len Lawrence 2024-06-13 21:04:01 CEST 
mga9, x64
The files updated cleanly.
Checked golang by a local build of docker, e.g. bug 30469.
That ran smoothly and the docker rpms were built.

Good to go.
There is a POC I think but not sure how to apply it.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

katnatek 2024-06-13 21:17:15 CEST

CC: (none) => andrewsfarm

Comment 3 katnatek 2024-06-13 21:17:32 CEST 
Thank you Len
Comment 4 Thomas Andrews 2024-06-14 02:34:46 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-06-14 03:33:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0217.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED