Bug 27650 - golang new security issues CVE-2020-2836[267]
Summary: golang new security issues CVE-2020-2836[267]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-32-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-11-23 16:56 CET by David Walser
Modified: 2021-01-10 20:47 CET (History)
4 users (show)

See Also:
Source RPM: golang-1.13.15-2.mga7.src.rpm
Status comment:


Description David Walser 2020-11-23 16:56:55 CET
Debian-LTS has issued an advisory on November 21:

The issue is fixed upstream in 1.14.12 and 1.15.5.

Mageia 7 is also affected.
David Walser 2020-11-23 16:57:01 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-11-23 20:26:23 CET
SUSE has issued advisories on November 19:

It fixes two more issues also fixed in the same upstream versions.

Summary: golang new security issue CVE-2020-28367 => golang new security issues CVE-2020-2836[267]

Comment 2 David Walser 2020-11-23 22:18:43 CET
Fedora has issued an advisory for this today (November 23):
Comment 3 Aurelien Oudelet 2020-11-25 18:34:35 CET
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => joequant
Keywords: (none) => Triaged

David Walser 2020-11-25 20:32:15 CET

CC: (none) => bruno

Joseph Wang 2020-11-26 05:58:27 CET


Comment 4 Joseph Wang 2020-11-26 12:10:56 CET
submitted 1.15 to caudron,

new version of 1.13 had not been submitted
Comment 5 David Walser 2020-11-26 15:31:21 CET
golang-1.15.5-1.mga8 uploaded for Cauldron.

For Mageia 7, we'll have to backport a patch.

Whiteboard: MGA7TOO => (none)
Source RPM: golang-1.15.3-1.mga8.src.rpm => golang-1.13.15-2.mga7.src.rpm
Version: Cauldron => 7

Comment 6 David Walser 2020-11-29 17:27:59 CET
openSUSE has issued an advisory for this on November 27:
Comment 7 Bruno Cornec 2020-12-29 12:29:26 CET
Mageia 7 has go 1.13 which is NOT vulnerable to this issue per https://github.com/golang/go/issues/42552

Resolution: (none) => INVALID

Comment 8 David Walser 2020-12-29 16:33:00 CET

Resolution: INVALID => (none)

Comment 9 David Walser 2020-12-29 16:33:54 CET
There's three CVEs here, and upstream only says that 1.13 is not supported, not that it's not affected.
Comment 10 Bruno Cornec 2020-12-30 23:49:23 CET
In the link I mentionned the following is written:
"It does look like this vulnerability was introduced by the recursive division algorithm implementation, which appears since go1.14beta. This issue could be limited to golang versions > 1.14, but it would be good to confirm that somehow."

And if 1.13 is not supported, we won't get any patch to apply.
Comment 11 David Walser 2020-12-30 23:55:39 CET
Hmm, yeah I see that now.

We won't get backported patches from upstream, but maybe another distro does it or we do it ourselves.

CVE-2020-28366 and CVE-2020-28367 commits are below:
Comment 12 Bruno Cornec 2021-01-07 00:20:34 CET
I had to tweack the patches (not knowing go) in order to adapt it to our older version, but I think I fixed it.
So golang-1.13.15-3.mga7 on its way to updates_testing

Assignee: joequant => qa-bugs

Comment 13 David Walser 2021-01-07 00:31:28 CET
Nice work.


Updated golang packages fix security vulnerabilities:

An input validation vulnerability was found in go. From a generated go file
(from the cgo tool) it is possible to modify symbols within that object file
and specify code instead. An attacker could potentially use this flaw by
creating a repository which included malicious pre-built object files that
could execute arbitrary code when downloaded and run via "go get" or "go build"
whilst building a go project (CVE-2020-28366).

An input validation vulnerability was found in go. If cgo is specified in a go
file, it is possible to bypass the validation of arguments to the gcc compiler.
An attacker could potentially use this flaw by creating a malicious repository
which would execute arbitrary code when downloaded and run via "go get" or 
"go build" whilst building a go project (CVE-2020-28367).


Updated packages in core/updates_testing:

from golang-1.13.15-3.mga7.src.rpm
Comment 14 Thomas Andrews 2021-01-09 02:06:13 CET
Referenced Bug 26465 for testing procedure: building docker. Used the same 32-bit hardware I used in my tests for that bug, a Dell Inspiron 5100, with a Xfce system.

Installed all 7 packages and their dependencies, then updated. No installation issues. 

Followed Len Lawrence's commands from https://bugs.mageia.org/show_bug.cgi?id=26465#c3 to build docker, eventually ending with the "Succeeded!" message.

As this has been an adequate test before, I am giving this a 32-bit OK. I will test the 64-bit packages for installation issues before validating.

CC: (none) => andrewsfarm

Thomas Andrews 2021-01-09 02:26:00 CET

Whiteboard: (none) => MGA7-32-OK

Comment 15 Thomas Andrews 2021-01-09 02:46:16 CET
I decided to do the same test with a 64-bit system, and got the same result. So as far as this test is concerned, it's ready to go.

Validating. Advisory in Comment 13.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OK

Comment 16 Aurelien Oudelet 2021-01-10 18:22:30 CET
Advisory pushed to SVN.

Keywords: Triaged => advisory
CC: (none) => ouaurelien

Comment 17 Mageia Robot 2021-01-10 20:47:45 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.