Arch Linux Security Advisory ASA-202106-42
==========================================

Severity: Medium
Date    : 2021-06-15
CVE-ID  : CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198
Package : go
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2006

Summary
=======

The package go before version 2:1.16.5-1 is vulnerable to multiple
issues including insufficient validation, url request injection and
denial of service.

Resolution
==========

Upgrade to 2:1.16.5-1.

# pacman -Syu "go>=2:1.16.5-1"

The problems have been fixed upstream in version 1.16.5.

Workaround
==========

None.

Description
===========

- CVE-2021-33195 (insufficient validation)

A security issue has been found in Go before version 1.16.5. The
LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in
net, and their respective methods on the Resolver type may return
arbitrary values retrieved from DNS which do not follow the established
RFC 1035 rules for domain names. If these names are used without
further sanitization, for instance unsafely included in HTML, they may
allow for injection of unexpected content. Note that LookupTXT may
still return arbitrary values that could require sanitization before
further use.

- CVE-2021-33196 (denial of service)

A security issue has been found in Go before version 1.16.5. Due to a
pre-allocation optimization in zip.NewReader, a malformed archive which
indicates it has a significant number of files can cause either a panic
or memory exhaustion.

- CVE-2021-33197 (url request injection)

A security issue has been found in Go before version 1.16.5.
ReverseProxy in net/http/httputil could be made to forward certain hop-
by-hop headers, including Connection. In case the target of the
ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the
ReverseProxy.Director.

- CVE-2021-33198 (denial of service)

A security issue has been found in Go before version 1.16.5. The
SetString and UnmarshalText methods of math/big.Rat may cause a panic
or an unrecoverable fatal error if passed inputs with very large
exponents.

Impact
======

An attacker could crash an application with crafted input, inject
malicious and unexpected content or drop HTTP headers by posing as a
reverse proxy.

References
==========

https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
https://github.com/golang/go/issues/46241
https://github.com/golang/go/commit/df6a737cc899507d3090e995abd1e1ed1a30cee3
https://github.com/golang/go/issues/46242
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
https://github.com/golang/go/commit/895fb1bb6fc0d3c01c5ef7c8cbaf033d1fff9ad7
https://github.com/golang/go/issues/46313
https://github.com/golang/go/commit/0410005dc458f23fb15f64354f9a24ca8f2fe044
https://github.com/golang/go/issues/45910
https://github.com/golang/go/commit/9210eaf7dc704612a6eda97c482012f779fd833b
https://security.archlinux.org/CVE-2021-33195
https://security.archlinux.org/CVE-2021-33196
https://security.archlinux.org/CVE-2021-33197
https://security.archlinux.org/CVE-2021-33198