Bug 24014 - golang new security issues CVE-2018-1687[3-5] and CVE-2019-6486
Summary: golang new security issues CVE-2018-1687[3-5] and CVE-2019-6486
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-15 19:01 CET by David Walser
Modified: 2019-02-13 12:10 CET (History)
7 users (show)

See Also:
Source RPM: golang-1.11.1-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-12-15 19:01:02 CET
Upstream has announced version 1.11.3 on December 14, fixing security issues:
https://www.openwall.com/lists/oss-security/2018/12/14/9

Mageia 6 is also affected.
David Walser 2018-12-15 19:01:11 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-12-16 16:22:55 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => joequant

David Walser 2018-12-16 16:36:54 CET

CC: (none) => joequant
Assignee: joequant => bruno

Comment 2 David Walser 2018-12-26 03:38:44 CET
openSUSE has issued an advisory for this on December 19:
https://lists.opensuse.org/opensuse-updates/2018-12/msg00094.html
Comment 3 David Walser 2019-01-01 21:50:51 CET
golang-1.11.4-1.mga7 uploaded for Cauldron by Stig-Ørjan.

Version: Cauldron => 6
CC: (none) => smelror
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2019-02-02 20:03:10 CET
Debian has issued an advisory on February 1:
https://www.debian.org/security/2019/dsa-4380

It fixes one new serious issue, fixed upstream in 1.11.5 (already in Cauldron) and 1.10.8.

Summary: golang new security issues CVE-2018-1687[3-5] => golang new security issues CVE-2018-1687[3-5] and CVE-2019-6486
Severity: normal => critical

Comment 5 Bruno Cornec 2019-02-05 02:25:45 CET
1.11.5-1 pushed to updates_testing formga6 and 1.11.5-2 bumped for mga7.

Status: NEW => ASSIGNED
Assignee: bruno => qa-bugs

Comment 6 Len Lawrence 2019-02-05 14:42:26 CET
- golang-1.11.5-1.mga6.x86_64
- golang-bin-1.11.5-1.mga6.x86_64
- golang-docs-1.11.5-1.mga6.noarch
- golang-misc-1.11.5-1.mga6.noarch
- golang-shared-1.11.5-1.mga6.x86_64
- golang-src-1.11.5-1.mga6.noarch

These were in updates-testing so they have been installed.  Is it OK to go ahead and test?

CC: (none) => tarazed25

Comment 7 Len Lawrence 2019-02-05 16:55:55 CET
Swurff!!  Wrong bug.
Trying again.
mga6, x86_64

Checked the CVEs and other links; nothing for QA to do.

Set up go directory tree for user at ~/go and defined GOPATH.
$ export GOPATH=/home/$USER/go/
$ tree go
go
├── bin
└── src
    ├── hello_1.go
    ├── hello.go
    └── stringutil
        └── reverse.go

Compiled hello.go and tested it.
Checked out docker revision 1363318 from mga6 repository.

Updated golang from updates-testing.
- golang-1.11.5-1.mga6.x86_64
- golang-bin-1.11.5-1.mga6.x86_64
- golang-docs-1.11.5-1.mga6.noarch
- golang-misc-1.11.5-1.mga6.noarch
- golang-shared-1.11.5-1.mga6.x86_64
- golang-src-1.11.5-1.mga6.noarch

From go src directory:
$ go run hello.go
Good morning QA
!AQ gninrom dooG

$ go build hello.go
$ ls
hello*  hello.go  stringutil/
$ ./hello
Good morning QA
!AQ gninrom dooG

Basic compilation and running is fine.

Building docker has generally been recommended as a test of golang.
$ mgarepo co -d 6 docker
Using the svn mirror.
[...]
Checked out revision 1363406.
[...]

2019-02-05 15:19:21 (618 KB/s) - ‘docker/SOURCES/tini-fec3683.tar.gz’ saved [32156/32156]

$ cd docker
$ bm -ls
creating package list
processing package docker-%{dist_version}-%mkrel 1
building source package
Wrote: /home/lcl/dev/docker/docker/SRPMS/docker-18.06.1-1.2.mga6.src.rpm
succeeded!
$ ls
BUILD/  BUILDROOT/  RPMS/  SOURCES/  SPECS/  SRPMS/
$ bm -l
creating package list
processing package docker-%{dist_version}-%mkrel 1
building source and binary packages
error: Failed build dependencies:
	btrfs-devel is needed by docker-18.06.1-1.2.mga6.x86_64
	glibc-static-devel is needed by docker-18.06.1-1.2.mga6.x86_64
	go-md2man is needed by docker-18.06.1-1.2.mga6.x86_64
	golang-net-devel is needed by docker-18.06.1-1.2.mga6.x86_64
	pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64
error: failed!

Installed the dependencies but did not know how to interpret the last one pkgconfig(devmapper).  pkgconfig is already installed.
$ bm -l
creating package list
processing package docker-%{dist_version}-%mkrel 1
building source and binary packages
error: Failed build dependencies:
	pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64
error: failed!

There are dozens of files with devmapper in their names, often with the .go filetype as well, so what exactly is missing?
Comment 8 Len Lawrence 2019-02-05 16:59:46 CET
On the other hand it could be the result of jumping the gun.
Comment 9 David Walser 2019-02-05 17:14:12 CET
(In reply to Len Lawrence from comment #7)
> Installed the dependencies but did not know how to interpret the last one
> pkgconfig(devmapper).  pkgconfig is already installed.

Just do urpmi "pkgconfig(devmapper)"

It's an automatically generated Provides for some devel package because it provides a devmapper.pc pkgconfig file.

Or better yet, use "bm -ls" to create an SRPM and then run urpmi on that SRPM and it'll install all of the build deps.  Plus if you install them that way, you can usually remove them easily when you're done with urpme --auto-orphans.
Comment 10 David Walser 2019-02-05 17:15:08 CET
(In reply to Bruno Cornec from comment #5)
> 1.11.5-1 pushed to updates_testing formga6 and 1.11.5-2 bumped for mga7.

Thanks Bruno.

Just a couple reminders.  The rebuild for mga7 was unnecessary.  1.11.5-1.mga7 is still > 1.11.5-1.mga6.  Also, please leave yourself CC'd for bugs when you assign to QA.

CC: (none) => bruno

Comment 11 David Walser 2019-02-05 17:19:39 CET
Advisory:
========================

Updated golang packages fix security vulnerabilities:

Remote code execution in go get, when executed with the -u flag
(CVE-2018-16873).

An arbitrary filesystem write in go get, which could lead to code execution
(CVE-2018-16874).

Denial of Service in the crypto/x509 package during certificate chain
validation (CVE-2018-16875).

Go before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows
attackers to cause a denial of service (CPU consumption) or possibly conduct
ECDH private key recovery attacks (CVE-2019-6486).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486
https://lists.opensuse.org/opensuse-updates/2018-12/msg00094.html
https://www.debian.org/security/2019/dsa-4380
========================

Updated packages in core/updates_testing:
========================
golang-1.11.5-1.mga6
golang-docs-1.11.5-1.mga6
golang-misc-1.11.5-1.mga6
golang-tests-1.11.5-1.mga6
golang-src-1.11.5-1.mga6
golang-bin-1.11.5-1.mga6
golang-shared-1.11.5-1.mga6

from golang-1.11.5-1.mga6.src.rpm
Comment 12 Len Lawrence 2019-02-05 17:39:22 CET
Added golang-tests.

@David - comment 9.  Thanks for the tips.  The first one worked like a charm but the second is worth remembering for future local builds.

From docker build directory:
$ bm -l
[...]
+ exit 0
succeeded!

golang looks fine but golang-tests needs investigation.
Comment 13 Len Lawrence 2019-02-05 17:56:39 CET
Re golang-tests.

Extract from 
$ urpmq -i golang-tests
Summary     : Golang compiler tests for stdlib

Nothing useful under /usr/share/doc/golang.
locate returns lists of go sanitizers and go code snippets.  There is a section labelled /usr/lib/golang/misc/cgo/testso/ which might be relevant, both C and go code.  Not really QA territory so lets send this one on.

Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2019-02-09 00:32:38 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-13 02:32:54 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 14 Mageia Robot 2019-02-13 12:10:28 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0066.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.