Linux Security
Linux Security
Linux Security

ArchLinux: 202101-27: go: multiple issues

Date 28 Jan 2021
47
Posted By LinuxSecurity Advisories
The package go before version 2:1.15.7-1 is vulnerable to multiple issues including arbitrary command execution and incorrect calculation.
Arch Linux Security Advisory ASA-202101-27
==========================================

Severity: Medium
Date    : 2021-01-20
CVE-ID  : CVE-2021-3114 CVE-2021-3115
Package : go
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1481

Summary
=======

The package go before version 2:1.15.7-1 is vulnerable to multiple
issues including arbitrary command execution and incorrect calculation.

Resolution
==========

Upgrade to 2:1.15.7-1.

# pacman -Syu "go>=2:1.15.7-1"

The problems have been fixed upstream in version 1.15.7.

Workaround
==========

None.

Description
===========

- CVE-2021-3114 (incorrect calculation)

A security issue was found in Go and fixed in versions 1.15.7 and
1.14.14. The P224() Curve implementation can in rare circumstances
generate incorrect outputs, including returning invalid points from
ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not
crypto/tls) packages support P-224 ECDSA keys, but they are not
supported by publicly trusted certificate authorities. No other
standard library or golang.org/x/crypto package supports or uses the
P-224 curve.

- CVE-2021-3115 (arbitrary command execution)

A security issue was found in Go and fixed in versions 1.15.7 and
1.14.14. The go command may execute arbitrary code at build time when
using cgo on Windows. This can be triggered by running go get for a
malicious package, or any other time the code is built. This can be
triggered by malicious packages which contain specifically named
binaries which are executed when cgo is executed in the context of the
malicious package directory. This is due to the path lookup behavior of
os/exec.LookPath on Windows. This will also affect Unix users who have
“.” listed explicitly in their PATH and are running “go get” outside of
a module or with module mode disabled. This has been fixed by altering
the usage of os/exec.LookPath by the go command to reject the usage of
any binaries that reside in the current directory.

Impact
======

The handling of P-224 ECDSA keys could produce incorrect outputs,
leading to potentially incorrect results of encryption, decryption, or
signature verification operations.

Downloading a maliciously crafted binary package using "go get" can
execute arbitrary code if the user's $PATH explicitly contains the
current directory.

References
==========

https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
https://github.com/golang/go/issues/43788
https://github.com/golang/go/commit/5c8fd727c41e31273923c32b33d4f25855f4e123
https://blog.golang.org/path-security
https://github.com/golang/go/issues/43785
https://github.com/golang/go/commit/e8e7facfaa47bf21007c0a1c679debba52ec3ea0
https://github.com/golang/go/commit/07e3195293ec510171d7d43ec8ac2bcb9cf00df4
https://security.archlinux.org/CVE-2021-3114
https://security.archlinux.org/CVE-2021-3115

Advisories

LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
/main-polls/52-how-frequently-do-you-patch-update-your-system?task=poll.vote&format=json
52
radio
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"42","type":"x","order":"1","pct":84,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"4","type":"x","order":"2","pct":8,"resources":[]},{"id":"181","title":"Hardly ever","votes":"4","type":"x","order":"3","pct":8,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.

VOTE ON THE POLL PAGE


VIEW MORE POLLS

bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.