Arch Linux Security Advisory ASA-202106-42
=========================================
Severity: Medium
Date    : 2021-06-15
CVE-ID  : CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198
Package : go
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2006

Summary
======
The package go before version 2:1.16.5-1 is vulnerable to multiple
issues including insufficient validation, url request injection and
denial of service.

Resolution
=========
Upgrade to 2:1.16.5-1.

# pacman -Syu "go>=2:1.16.5-1"

The problems have been fixed upstream in version 1.16.5.

Workaround
=========
None.

Description
==========
- CVE-2021-33195 (insufficient validation)

A security issue has been found in Go before version 1.16.5. The
LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in
net, and their respective methods on the Resolver type may return
arbitrary values retrieved from DNS which do not follow the established
RFC 1035 rules for domain names. If these names are used without
further sanitization, for instance unsafely included in HTML, they may
allow for injection of unexpected content. Note that LookupTXT may
still return arbitrary values that could require sanitization before
further use.

- CVE-2021-33196 (denial of service)

A security issue has been found in Go before version 1.16.5. Due to a
pre-allocation optimization in zip.NewReader, a malformed archive which
indicates it has a significant number of files can cause either a panic
or memory exhaustion.

- CVE-2021-33197 (url request injection)

A security issue has been found in Go before version 1.16.5.
ReverseProxy in net/http/httputil could be made to forward certain hop-
by-hop headers, including Connection. In case the target of the
ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the
ReverseProxy.Director.

- CVE-2021-33198 (denial of service)

A security issue has been found in Go before version 1.16.5. The
SetString and UnmarshalText methods of math/big.Rat may cause a panic
or an unrecoverable fatal error if passed inputs with very large
exponents.

Impact
=====
An attacker could crash an application with crafted input, inject
malicious and unexpected content or drop HTTP headers by posing as a
reverse proxy.

References
=========
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
https://github.com/golang/go/issues/46241
https://github.com/golang/go/commit/df6a737cc899507d3090e995abd1e1ed1a30cee3
https://github.com/golang/go/issues/46242
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
https://github.com/golang/go/commit/895fb1bb6fc0d3c01c5ef7c8cbaf033d1fff9ad7
https://github.com/golang/go/issues/46313
https://github.com/golang/go/commit/0410005dc458f23fb15f64354f9a24ca8f2fe044
https://github.com/golang/go/issues/45910
https://github.com/golang/go/commit/9210eaf7dc704612a6eda97c482012f779fd833b
https://security.archlinux.org/CVE-2021-33195
https://security.archlinux.org/CVE-2021-33196
https://security.archlinux.org/CVE-2021-33197
https://security.archlinux.org/CVE-2021-33198

ArchLinux: 202106-42: go: multiple issues

June 18, 2021

Summary

- CVE-2021-33195 (insufficient validation) A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.
- CVE-2021-33196 (denial of service)
A security issue has been found in Go before version 1.16.5. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.
- CVE-2021-33197 (url request injection)
A security issue has been found in Go before version 1.16.5. ReverseProxy in net/http/httputil could be made to forward certain hop- by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.
- CVE-2021-33198 (denial of service)
A security issue has been found in Go before version 1.16.5. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

Resolution

Upgrade to 2:1.16.5-1. # pacman -Syu "go>=2:1.16.5-1"
The problems have been fixed upstream in version 1.16.5.

References

https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ https://github.com/golang/go/issues/46241 https://github.com/golang/go/commit/df6a737cc899507d3090e995abd1e1ed1a30cee3 https://github.com/golang/go/issues/46242 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912 https://github.com/golang/go/commit/895fb1bb6fc0d3c01c5ef7c8cbaf033d1fff9ad7 https://github.com/golang/go/issues/46313 https://github.com/golang/go/commit/0410005dc458f23fb15f64354f9a24ca8f2fe044 https://github.com/golang/go/issues/45910 https://github.com/golang/go/commit/9210eaf7dc704612a6eda97c482012f779fd833b https://security.archlinux.org/CVE-2021-33195 https://security.archlinux.org/CVE-2021-33196 https://security.archlinux.org/CVE-2021-33197 https://security.archlinux.org/CVE-2021-33198

Severity
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2006

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved