[Buildroot] [PATCH] package/go: security bump to 1.15.5

Peter Korsgaard peter at korsgaard.com
Fri Nov 13 13:46:56 UTC 2020


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - math/big: panic during recursive division of very large numbers

 >   A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
 >   ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted
 >   large inputs.  For the panic to happen, the divisor or modulo argument
 >   must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on
 >   64-bit architectures).  Multiple math/big.Rat methods are similarly affected.

 >   crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may
 >   panic when provided crafted public keys and signatures.  crypto/ecdsa and
 >   crypto/elliptic operations may only be affected if custom CurveParams with
 >   unusually large field sizes (several times larger than the largest
 >   supported curve, P-521) are in use.  Using crypto/x509.Verify on a crafted
 >   X.509 certificate chain can lead to a panic, even if the certificates
 >   don’t chain to a trusted root.  The chain can be delivered via a
 >   crypto/tls connection to a client, or to a server that accepts and
 >   verifies client certificates.  net/http clients can be made to crash by an
 >   HTTPS server, while net/http servers that accept client certificates will
 >   recover the panic and are unaffected.

 >   Moreover, an application might crash invoking
 >   crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
 >   request or during a golang.org/x/crypto/otr conversation.  Parsing a
 >   golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
 >   Finally, a golang.org/x/crypto/ssh client can panic due to a malformed
 >   host key, while a server could panic if either PublicKeyCallback accepts a
 >   malformed public key, or if IsUserAuthority accepts a certificate with a
 >   malformed public key.

 >   Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting
 >   this.  Thanks to Rémy Oudompheng and Robert Griesemer for their help
 >   developing and validating the fix.

 >   This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.

 > - cmd/go: arbitrary code execution at build time through cgo

 >   The go command may execute arbitrary code at build time when cgo is in
 >   use.  This may occur when running go get on a malicious package, or any
 >   other command that builds untrusted code.

 >   This can be caused by malicious gcc flags specified via a #cgo directive,
 >   or by a malicious symbol name in a linked object file.

 >   Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for
 >   reporting these issues.

 >   These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
 >   golang.org/issue/42556 and golang.org/issue/42559 respectively.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list