CVE-2017-15041 – golang: arbitrary code execution during "go get" or "go get -d"
https://notcve.org/view.php?id=CVE-2017-15041
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." Go, en sus versiones 1.8.4 y versiones 1.9.x anteriores a la 1.9.1, permite que se ejecuten comandos "go get" de manera remota. • http://www.securityfocus.com/bid/101196 https://access.redhat.com/errata/RHSA-2017:3463 https://access.redhat.com/errata/RHSA-2018:0878 https://github.com/golang/go/issues/22125 https://golang.org/cl/68022 https://golang.org/cl/68190 https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html https://security.gentoo.org/glsa •
CVE-2017-1000098 – golang: net/http: multipart ReadForm close file after copy
https://notcve.org/view.php?id=CVE-2017-1000098
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. El método Request.ParseMultipartForm del paquete net/http empieza a escribir en archivos temporales una vez que el tamaño del cuerpo de la petición sobrepase el límite "maxMemory" establecido. Un atacante podría generar un petición multipart manipulada para que el servidor se quede sin descriptores de archivo. • https://golang.org/cl/30410 https://golang.org/issue/17965 https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ https://access.redhat.com/security/cve/CVE-2017-1000098 https://bugzilla.redhat.com/show_bug.cgi?id=1401985 • CWE-769: DEPRECATED: Uncontrolled File Descriptor Consumption •
CVE-2017-1000097
https://notcve.org/view.php?id=CVE-2017-1000097
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. En Darwin, no se verifican las preferencias de confianza del usuario para certificados root. Si el usuario tiene un certificado root cargado en su Keychain que se ha definido explícitamente como no fiable, un programa Go podría aun verificar una conexión utilizando ese certificado root. • https://github.com/golang/go/issues/18141 https://go-review.googlesource.com/c/33721 https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ • CWE-295: Improper Certificate Validation •
CVE-2017-8932 – golang: Elliptic curves carry propagation issue in x86-64 P-256
https://notcve.org/view.php?id=CVE-2017-8932
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries. Un error en la implementación de la biblioteca estándar ScalarMult de curve P-256 para arquitecturas amd64 en Go anterior a versión 1.7.6 y 1.8.x anterior a versión 1.8.2, causa resultados incorrectos para ser generados por puntos de entrada específicos. Se puede montar un ataque adaptativo para extraer progresivamente la entrada scalar hacia ScalarMult mediante el envío de puntos creados y observando fallos para la salida correcta derivada. • http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html https://access.redhat.com/errata/RHSA-2017:1859 https://bugzilla.redhat.com/show_bug.cgi?id=1455191 https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c https://github.com/golang/go/issues/20040 https://go-review.googlesource.com/c/41070 https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ https://lists.fedoraproject.org • CWE-682: Incorrect Calculation •
CVE-2016-5386 – Go: sets environmental variable based on user supplied Proxy request header
https://notcve.org/view.php?id=CVE-2016-5386
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. El paquete net/http en Go hasta la versión 1.6 no intenta abordar los conflictos de espacio de nombres de RFC 3875 sección 4.1.18 y por lo tanto no protege aplicaciones CGI de la presencia de datos de clientes no confiables en ambiente variable de HTTP_PROXY, lo que podría permitir a atacantes remotos redireccionar el tráfico HTTP saliente de una aplicación CGI a un servidor proxy arbitrario a través de una cabecera Proxy manipulada en una petición HTTP, también conocido como un problema "httpoxy". An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. • http://rhn.redhat.com/errata/RHSA-2016-1538.html http://www.kb.cert.org/vuls/id/797896 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html https://bugzilla.redhat.com/show_bug.cgi?id=1353798 https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us https://httpoxy.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproje • CWE-20: Improper Input Validation CWE-284: Improper Access Control •