Arch Linux Security Advisory ASA-202011-16

Severity: High
Date : 2020-11-17
CVE-ID : CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1278

Summary

The package go before version 2:1.15.5-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution

Upgrade to 2:1.15.5-1.

pacman -Syu “go>=2:1.15.5-1”

The problems have been fixed upstream in version 1.15.5.

Workaround

None.

Description

• CVE-2020-28362 (denial of service)

A flaw was found in go before 1.15.5 where a number of math/big.Int
methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt,
Jacobi, and GCD) can panic when provided crafted large inputs. For the
panic to happen, the divisor or modulo argument must be larger than
3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat methods are similarly affected.
crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify
may panic when provided crafted public keys and signatures.
crypto/ecdsa and crypto/elliptic operations may only be affected if
custom CurveParams with unusually large field sizes (several times
larger than the largest supported curve, P-521) are in use. Using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
panic, even if the certificates don’t chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients
can be made to crash by an HTTPS server, while net/http servers that
accept client certificates will recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509
certificate request or during a golang.org/x/crypto/otr conversation.
Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature
may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a
malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority
accepts a certificate with a malformed public key.

• CVE-2020-28366 (arbitrary code execution)

A flaw was found in go beforer 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.

• CVE-2020-28367 (arbitrary code execution)

A flaw was found in go before 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.

Impact

A local attacker might be able to crash the program via a crafted
input. In addition a remote attacker might be able to execute arbitrary
code when go get is run on a malicious package, or untrusted code is
built via any other command.

References

https://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d
https://github.com/golang/go/issues/42554
https://github.com/golang/go/issues/42562
https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102
https://github.com/golang/go/issues/42558
https://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605
https://security.archlinux.org/CVE-2020-28362
https://security.archlinux.org/CVE-2020-28366
https://security.archlinux.org/CVE-2020-28367