Arch Linux Security Advisory ASA-202011-16
=========================================
Severity: High
Date    : 2020-11-17
CVE-ID  : CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
Package : go
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1278

Summary
======
The package go before version 2:1.15.5-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
=========
Upgrade to 2:1.15.5-1.

# pacman -Syu "go>=2:1.15.5-1"

The problems have been fixed upstream in version 1.15.5.

Workaround
=========
None.

Description
==========
- CVE-2020-28362 (denial of service)

A flaw was found in go before 1.15.5 where a number of math/big.Int
methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt,
Jacobi, and GCD) can panic when provided crafted large inputs. For the
panic to happen, the divisor or modulo argument must be larger than
3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat methods are similarly affected.
crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify
may panic when provided crafted public keys and signatures.
crypto/ecdsa and crypto/elliptic operations may only be affected if
custom CurveParams with unusually large field sizes (several times
larger than the largest supported curve, P-521) are in use. Using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
panic, even if the certificates don’t chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients
can be made to crash by an HTTPS server, while net/http servers that
accept client certificates will recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509
certificate request or during a golang.org/x/crypto/otr conversation.
Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature
may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a
malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority
accepts a certificate with a malformed public key.

- CVE-2020-28366 (arbitrary code execution)

A flaw was found in go beforer 1.15.5  where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.

- CVE-2020-28367 (arbitrary code execution)

A flaw was found in go before 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.

Impact
=====
A local attacker might be able to crash the program via a crafted
input. In addition a remote attacker might be able to execute arbitrary
code when go get is run on a malicious package, or untrusted code is
built via any other command.

References
=========
https://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d
https://github.com/golang/go/issues/42554
https://github.com/golang/go/issues/42562
https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102
https://github.com/golang/go/issues/42558
https://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605
https://security.archlinux.org/CVE-2020-28362
https://security.archlinux.org/CVE-2020-28366
https://security.archlinux.org/CVE-2020-28367

ArchLinux: 202011-16: go: multiple issues

November 26, 2020

Summary

- CVE-2020-28362 (denial of service) A flaw was found in go before 1.15.5 where a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected. crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.
- CVE-2020-28366 (arbitrary code execution)
A flaw was found in go beforer 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.
- CVE-2020-28367 (arbitrary code execution)
A flaw was found in go before 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.

Resolution

Upgrade to 2:1.15.5-1. # pacman -Syu "go>=2:1.15.5-1"
The problems have been fixed upstream in version 1.15.5.

References

https://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d https://github.com/golang/go/issues/42554 https://github.com/golang/go/issues/42562 https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102 https://github.com/golang/go/issues/42558 https://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605 https://security.archlinux.org/CVE-2020-28362 https://security.archlinux.org/CVE-2020-28366 https://security.archlinux.org/CVE-2020-28367

Severity
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1278

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved