ArchLinux: 202011-16: go: multiple issues
Summary
- CVE-2020-28362 (denial of service)
A flaw was found in go before 1.15.5 where a number of math/big.Int
methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt,
Jacobi, and GCD) can panic when provided crafted large inputs. For the
panic to happen, the divisor or modulo argument must be larger than
3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat methods are similarly affected.
crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify
may panic when provided crafted public keys and signatures.
crypto/ecdsa and crypto/elliptic operations may only be affected if
custom CurveParams with unusually large field sizes (several times
larger than the largest supported curve, P-521) are in use. Using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
panic, even if the certificates don’t chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients
can be made to crash by an HTTPS server, while net/http servers that
accept client certificates will recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509
certificate request or during a golang.org/x/crypto/otr conversation.
Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature
may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a
malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority
accepts a certificate with a malformed public key.
- CVE-2020-28366 (arbitrary code execution)
A flaw was found in go beforer 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.
- CVE-2020-28367 (arbitrary code execution)
A flaw was found in go before 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.
Resolution
Upgrade to 2:1.15.5-1.
# pacman -Syu "go>=2:1.15.5-1"
The problems have been fixed upstream in version 1.15.5.
References
https://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d https://github.com/golang/go/issues/42554 https://github.com/golang/go/issues/42562 https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102 https://github.com/golang/go/issues/42558 https://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605 https://security.archlinux.org/CVE-2020-28362 https://security.archlinux.org/CVE-2020-28366 https://security.archlinux.org/CVE-2020-28367
Workaround
None.