Debian-LTS has issued an advisory on November 21: https://www.debian.org/lts/security/2020/dla-2460 The issue is fixed upstream in 1.14.12 and 1.15.5. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
SUSE has issued advisories on November 19: https://lists.suse.com/pipermail/sle-security-updates/2020-November/007807.html https://lists.suse.com/pipermail/sle-security-updates/2020-November/007806.html It fixes two more issues also fixed in the same upstream versions.
Summary: golang new security issue CVE-2020-28367 => golang new security issues CVE-2020-2836[267]
Fedora has issued an advisory for this today (November 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => joequantKeywords: (none) => Triaged
CC: (none) => bruno
Status: NEW => ASSIGNED
submitted 1.15 to caudron, new version of 1.13 had not been submitted
golang-1.15.5-1.mga8 uploaded for Cauldron. For Mageia 7, we'll have to backport a patch.
Whiteboard: MGA7TOO => (none)Source RPM: golang-1.15.3-1.mga8.src.rpm => golang-1.13.15-2.mga7.src.rpmVersion: Cauldron => 7
openSUSE has issued an advisory for this on November 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IQVUQXAVUQCNNOSHNTQGRCAEYALRL2NA/
Mageia 7 has go 1.13 which is NOT vulnerable to this issue per https://github.com/golang/go/issues/42552
Status: ASSIGNED => RESOLVEDResolution: (none) => INVALID
Incorrect.
Resolution: INVALID => (none)Status: RESOLVED => REOPENED
There's three CVEs here, and upstream only says that 1.13 is not supported, not that it's not affected.
In the link I mentionned the following is written: "It does look like this vulnerability was introduced by the recursive division algorithm implementation, which appears since go1.14beta. This issue could be limited to golang versions > 1.14, but it would be good to confirm that somehow." And if 1.13 is not supported, we won't get any patch to apply.
Hmm, yeah I see that now. We won't get backported patches from upstream, but maybe another distro does it or we do it ourselves. CVE-2020-28366 and CVE-2020-28367 commits are below: https://github.com/golang/go/commit/062e0e5ce6df339dc26732438ad771f73dbf2292 https://github.com/golang/go/commit/da7aa86917811a571e6634b45a457f918b8e6561
I had to tweack the patches (not knowing go) in order to adapt it to our older version, but I think I fixed it. So golang-1.13.15-3.mga7 on its way to updates_testing
Assignee: joequant => qa-bugs
Nice work. Advisory: ======================== Updated golang packages fix security vulnerabilities: An input validation vulnerability was found in go. From a generated go file (from the cgo tool) it is possible to modify symbols within that object file and specify code instead. An attacker could potentially use this flaw by creating a repository which included malicious pre-built object files that could execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28366). An input validation vulnerability was found in go. If cgo is specified in a go file, it is possible to bypass the validation of arguments to the gcc compiler. An attacker could potentially use this flaw by creating a malicious repository which would execute arbitrary code when downloaded and run via "go get" or "go build" whilst building a go project (CVE-2020-28367). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28366 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28367 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/ ======================== Updated packages in core/updates_testing: ======================== golang-1.13.15-3.mga7 golang-docs-1.13.15-3.mga7 golang-misc-1.13.15-3.mga7 golang-tests-1.13.15-3.mga7 golang-src-1.13.15-3.mga7 golang-bin-1.13.15-3.mga7 golang-shared-1.13.15-3.mga7 from golang-1.13.15-3.mga7.src.rpm
Referenced Bug 26465 for testing procedure: building docker. Used the same 32-bit hardware I used in my tests for that bug, a Dell Inspiron 5100, with a Xfce system. Installed all 7 packages and their dependencies, then updated. No installation issues. Followed Len Lawrence's commands from https://bugs.mageia.org/show_bug.cgi?id=26465#c3 to build docker, eventually ending with the "Succeeded!" message. As this has been an adequate test before, I am giving this a 32-bit OK. I will test the 64-bit packages for installation issues before validating.
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA7-32-OK
I decided to do the same test with a 64-bit system, and got the same result. So as far as this test is concerned, it's ready to go. Validating. Advisory in Comment 13.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OK
Advisory pushed to SVN.
Keywords: Triaged => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0018.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED