Arch Linux alert ASA-202101-27 (go)
| From: | Morten Linderud via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202101-27] go: multiple issues | |
| Date: | Thu, 28 Jan 2021 22:59:17 +0100 | |
| Message-ID: | <20210128215917.xe3inxbdimmmxpzy@anathema> | |
| Cc: | Morten Linderud <foxboron@archlinux.org> |
Arch Linux Security Advisory ASA-202101-27 ========================================== Severity: Medium Date : 2021-01-20 CVE-ID : CVE-2021-3114 CVE-2021-3115 Package : go Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-1481 Summary ======= The package go before version 2:1.15.7-1 is vulnerable to multiple issues including arbitrary command execution and incorrect calculation. Resolution ========== Upgrade to 2:1.15.7-1. # pacman -Syu "go>=2:1.15.7-1" The problems have been fixed upstream in version 1.15.7. Workaround ========== None. Description =========== - CVE-2021-3114 (incorrect calculation) A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve. - CVE-2021-3115 (arbitrary command execution) A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built. This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows. This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled. This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory. Impact ====== The handling of P-224 ECDSA keys could produce incorrect outputs, leading to potentially incorrect results of encryption, decryption, or signature verification operations. Downloading a maliciously crafted binary package using "go get" can execute arbitrary code if the user's $PATH explicitly contains the current directory. References ========== https://groups.google.com/g/golang-announce/c/mperVMGa98w... https://github.com/golang/go/issues/43788 https://github.com/golang/go/commit/5c8fd727c41e31273923c... https://blog.golang.org/path-security https://github.com/golang/go/issues/43785 https://github.com/golang/go/commit/e8e7facfaa47bf21007c0... https://github.com/golang/go/commit/07e3195293ec510171d7d... https://security.archlinux.org/CVE-2021-3114 https://security.archlinux.org/CVE-2021-3115