Bug 27039 - golang new security issues CVE-2020-15586 and CVE-2020-16845
Summary: golang new security issues CVE-2020-15586 and CVE-2020-16845
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-05 00:44 CEST by David Walser
Modified: 2020-08-18 19:43 CEST (History)
6 users (show)

See Also:
Source RPM: golang-1.12.17-1.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2020-08-05 00:44:30 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-08-05 02:49:49 CEST
Fedora has issued an advisory for this on July 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/

They upgraded to 1.14.6.
Comment 2 Lewis Smith 2020-08-05 20:13:53 CEST
Assigning to Joseph who is the main maintainer; CC'ing Stig as having done recent updates.

CC: (none) => smelror
Assignee: bugsquad => joequant

David Walser 2020-08-05 20:19:33 CEST

CC: (none) => bruno

Comment 3 Stig-Ørjan Smelror 2020-08-05 21:56:30 CEST
Cauldron has already been updated to 1.14.6.

Do you think updating 1.13.14 on MGA7 is sufficient?

See https://github.com/golang/go/issues/40211

Cheers,
Stig

Source RPM: golang-1.14.4-2.mga8.src.rpm, golang-1.12.17-1.mga7.src.rpm => golang-1.12.17-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 David Walser 2020-08-05 22:25:08 CEST
As long as we can still build docker with it, I think that's fine.
Comment 5 David Walser 2020-08-12 19:52:55 CEST
openSUSE has issued an advisory today (August 12):
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html

The issue is fixed upstream in 1.13.15 and 1.14.7.

Summary: golang new security issue CVE-2020-15586 => golang new security issues CVE-2020-15586 and CVE-2020-16845

Comment 6 Stig-Ørjan Smelror 2020-08-13 12:02:05 CEST
Go has been updated to 1.15 on Cauldron.
Comment 7 David Walser 2020-08-13 16:00:09 CEST
Advisory:
========================

Updated golang packages fix security vulnerabilities:

Servers where the Handler concurrently reads the request body and writes a
response can encounter a data race and crash. The httputil.ReverseProxy Handler
is affected (CVE-2020-15586).

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions
to read an unlimited number of bytes from the ByteReader argument before
returning an error. This could lead to processing more input than expected when
the caller is reading directly from the network and depends on ReadUvarint and
ReadVarint only consuming a small, bounded number of bytes, even from invalid
inputs (CVE-2020-16845).

The golang package has been updated to version 1.13.15, fixing these issues
and containing several other bug fixes and enhancements.  See the 1.13 release
notes and other references for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845
https://golang.org/doc/go1.13
https://golang.org/doc/devel/release.html#go1.13.minor
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/golang-announce/NyPIaucMgXo
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
========================

Updated packages in core/updates_testing:
========================
golang-1.13.15-1.mga7
golang-docs-1.13.15-1.mga7
golang-misc-1.13.15-1.mga7
golang-tests-1.13.15-1.mga7
golang-src-1.13.15-1.mga7
golang-bin-1.13.15-1.mga7
golang-shared-1.13.15-1.mga7

from golang-1.13.15-1.mga7.src.rpm

Assignee: joequant => qa-bugs

Comment 8 Herman Viaene 2020-08-14 11:36:12 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Copied suffixarray folder from testdata into my home and tried to the "go build" on these, but got either no feedback at all (and no new file generated) or missing items.
Giving up.

CC: (none) => herman.viaene

Comment 9 David Walser 2020-08-14 12:40:16 CEST
We usually test this by building the docker package.
Comment 10 Len Lawrence 2020-08-14 20:22:23 CEST
OK Herman and David, about to try that.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2020-08-14 21:21:04 CEST
mga7, x86_64

$ mgarepo co -d 7 docker
Using the svn mirror.
HTTP request sent, awaiting response... 200 OK
Length: 15299640 (15M) [application/x-tar]
Saving to: ‘docker/SOURCES/v18.09.9.tar.gz’

docker/SOURCES/v18. 100%[===================>]  14.59M  3.31MB/s    in 4.4s    

2020-08-14 19:27:31 (3.31 MB/s) - ‘docker/SOURCES/v18.09.9.tar.gz’ saved [15299640/15299640]
$ cd docker
$ bm -ls
creating package list
processing package docker-%{moby_version}-%mkrel 1
building source package
warning: Macro expanded in comment on line 40: %{shortcommit}

Wrote: /home/lcl/qa/golang/docker/SRPMS/docker-18.09.9-1.1.mga7.src.rpm
succeeded!
$ sudo urpmi --buildrequires SPECS/docker.spec
warning: Macro expanded in comment on line 40: %{shortcommit}

In order to satisfy the 'go-md2man' dependency, one of the following packages is needed:
 1- go-md2man-1.0.8-1.mga7.x86_64: Transform md into man pages (to install)
 2- golang-github-cpuguy83-go-md2man-1.0.8-1.mga7.x86_64: Process markdown into manpages (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  go-md2man                      1.0.8        1.mga7        x86_64  
  golang-net-devel               0.1.git84a4> 9.mga7        x86_64  
  lib64ltdl-devel                2.4.6        9.mga7        x86_64  
(medium "Core Updates")
  lib64devmapper-devel           1.02.154     1.1.mga7      x86_64  
(medium "Core Updates Testing")
  btrfs-progs                    5.7          1.mga7        x86_64  
  lib64btrfs-devel               5.7          1.mga7        x86_64  
  lib64btrfs0                    5.7          1.mga7        x86_64  
4.1MB of additional disk space will be used.
1.9MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) Y
......

$ bm -l
creating package list
processing package docker-%{moby_version}-%mkrel 1
building source and binary packages
warning: Macro expanded in comment on line 40: %{shortcommit}

Executing(%prep): /bin/sh -e /home/lcl/qa/golang/docker/BUILDROOT/rpm-tmp.j6sAeg
+ umask 022
+ cd /home/lcl/qa/golang/docker/BUILD
......
+ umask 022
+ cd /home/lcl/qa/golang/docker/BUILD
+ cd docker-ce-18.09.9
+ /usr/bin/rm -rf /home/lcl/qa/golang/docker/BUILDROOT/docker-18.09.9-1.1.mga7.x86_64
+ exit 0
succeeded!
$ cd ../RPMS/x86_64
$ ls * | grep 09.9
docker-18.09.9-1.1.mga7.x86_64.rpm
docker-devel-18.09.9-1.1.mga7.x86_64.rpm
docker-fish-completion-18.09.9-1.1.mga7.x86_64.rpm
docker-logrotate-18.09.9-1.1.mga7.x86_64.rpm
docker-nano-18.09.9-1.1.mga7.x86_64.rpm
docker-unit-test-18.09.9-1.1.mga7.x86_64.rpm
docker-vim-18.09.9-1.1.mga7.x86_64.rpm
docker-zsh-completion-18.09.9-1.1.mga7.x86_64.rpm

Checked against the already installed docker:
$ rpm -q docker
docker-18.09.9-1.1.mga7

Skipping the HelloWorld stage - this looks OK.

Whiteboard: (none) => MGA7-64-OK

Comment 12 Len Lawrence 2020-08-15 02:40:26 CEST
Had a look at suffixarray but could not figure out how to run the example_test.  A simple hello.go runs and builds fine.

$ export GOHOME=/home/lcl/go/

Sources in ~/go/src
Used a local QA directory for testing.

$ cd ~/qa/golang
$ go run hello.go
Good morning QA
!AQ gninrom dooG
$ go build hello.go
$ ./hello
Good morning QA
!AQ gninrom dooG

$ cd ~/go/src
$ ls
example_test.go  hello.go  sais.go      suffixarray.go
gen.go           sais2.go  stringutil/  suffixarray_test.go

gen.go is the only other file with a main function and looks like it regenerates sais.go but in fact does not work from the test directory - it has to be run in the src directory.
$ grep -H "func main()" *
gen.go:func main() {
hello.go:func main() {

$ cd ~/qa/golang
$ go build gen.go
can't load package: package gen.go: cannot find package "gen.go" in any of:
	/usr/lib/golang/src/gen.go (from $GOROOT)
	/home/lcl/go/src/gen.go (from $GOPATH)
$ cd $GOPATH/src
$ go build gen.go
$ ll
-rwxr-xr-x 1 lcl lcl 2252965 Aug 15 01:31 gen*
-rw-r--r-- 1 lcl lcl    1932 Aug 15 00:12 gen.go
-rw-r--r-- 1 lcl lcl   53710 Aug 15 01:32 sais2.go
-rw-r--r-- 1 lcl lcl   33261 Aug 15 00:12 sais.go

Taking this no further - there is obviously a lot more to know about file disposition in golang.
Comment 13 Len Lawrence 2020-08-16 02:33:34 CEST
s/GOHOME/GOPATH/
David Walser 2020-08-16 16:06:15 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 14 David Walser 2020-08-16 16:17:54 CEST
Advisory and package list in Comment 7.
Dave Hodgins 2020-08-18 18:00:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 15 Mageia Robot 2020-08-18 19:43:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0325.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.