Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202011-16: go: multiple issues

    Date 26 Nov 2020
    333
    Posted By LinuxSecurity Advisories
    The package go before version 2:1.15.5-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.
    Arch Linux Security Advisory ASA-202011-16
    ==========================================
    
    Severity: High
    Date    : 2020-11-17
    CVE-ID  : CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
    Package : go
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1278
    
    Summary
    =======
    
    The package go before version 2:1.15.5-1 is vulnerable to multiple
    issues including arbitrary code execution and denial of service.
    
    Resolution
    ==========
    
    Upgrade to 2:1.15.5-1.
    
    # pacman -Syu "go>=2:1.15.5-1"
    
    The problems have been fixed upstream in version 1.15.5.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2020-28362 (denial of service)
    
    A flaw was found in go before 1.15.5 where a number of math/big.Int
    methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt,
    Jacobi, and GCD) can panic when provided crafted large inputs. For the
    panic to happen, the divisor or modulo argument must be larger than
    3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
    architectures). Multiple math/big.Rat methods are similarly affected.
    crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify
    may panic when provided crafted public keys and signatures.
    crypto/ecdsa and crypto/elliptic operations may only be affected if
    custom CurveParams with unusually large field sizes (several times
    larger than the largest supported curve, P-521) are in use. Using
    crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
    panic, even if the certificates don’t chain to a trusted root. The
    chain can be delivered via a crypto/tls connection to a client, or to a
    server that accepts and verifies client certificates. net/http clients
    can be made to crash by an HTTPS server, while net/http servers that
    accept client certificates will recover the panic and are unaffected.
    Moreover, an application might crash invoking
    crypto/x509.(*CertificateRequest).CheckSignature on an X.509
    certificate request or during a golang.org/x/crypto/otr conversation.
    Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature
    may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a
    malformed host key, while a server could panic if either
    PublicKeyCallback accepts a malformed public key, or if IsUserAuthority
    accepts a certificate with a malformed public key.
    
    - CVE-2020-28366 (arbitrary code execution)
    
    A flaw was found in go beforer 1.15.5  where the go command may execute
    arbitrary code at build time when cgo is in use. This may occur when
    running go get on a malicious package, or any other command that builds
    untrusted code.
    
    - CVE-2020-28367 (arbitrary code execution)
    
    A flaw was found in go before 1.15.5 where the go command may execute
    arbitrary code at build time when cgo is in use. This may occur when
    running go get on a malicious package, or any other command that builds
    untrusted code.
    
    Impact
    ======
    
    A local attacker might be able to crash the program via a crafted
    input. In addition a remote attacker might be able to execute arbitrary
    code when go get is run on a malicious package, or untrusted code is
    built via any other command.
    
    References
    ==========
    
    https://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d
    https://github.com/golang/go/issues/42554
    https://github.com/golang/go/issues/42562
    https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102
    https://github.com/golang/go/issues/42558
    https://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605
    https://security.archlinux.org/CVE-2020-28362
    https://security.archlinux.org/CVE-2020-28366
    https://security.archlinux.org/CVE-2020-28367
    

    Advisories

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"8","type":"x","order":"1","pct":27.59,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":20.69,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":51.72,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.