Bug 1040618 (CVE-2017-8932)

Summary: VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P-256
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: jmassaguerpla, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/185867/
Whiteboard: CVSSv3:RedHat:CVE-2017-8932:4.8:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSSv3:NVD:CVE-2017-8932:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv2:NVD:CVE-2017-8932:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-05-24 14:40:16 UTC
https://github.com/golang/go/issues/20040

Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations.

This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.

https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c

https://golang.org/cl/41070
Comment 1 Marcus Meissner 2017-05-24 14:44:28 UTC
which go compiled tools speak SSL/HTTPS ?
Comment 2 Flavio Castelli 2017-05-24 16:08:49 UTC
(In reply to Marcus Meissner from comment #1)
> which go compiled tools speak SSL/HTTPS ?

I can think of:

  * etcd
  * kubernetes apiserver
  * docker

Right now the most vulnerable parts are etcd and the kubernetes api-server because they listen to incoming connection. This does not apply to our docker deployments.

I'm going to assign the bug to Thomas Hipp who is following go packaging. I think upstream will publish patch releases of Go. We should update our packages to include the fix.

Adding Jordi too, given he's involved with the release of quite some go-based packages.
Comment 3 Thomas Hipp 2017-05-29 08:05:12 UTC
Upstream has released version 1.8.2 which includes a patch for this issue.
Comment 4 Thomas Hipp 2017-05-30 09:15:47 UTC
All relevant go packages in IBS and OBS have been updated and include the upstream patch.
Comment 5 Bernhard Wiedemann 2017-05-30 10:00:44 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/499627 42.2+Backports:SLE-12+Backports:SLE-12-SP1 / go
Comment 6 Swamp Workflow Management 2017-06-22 16:10:16 UTC
openSUSE-SU-2017:1649-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040618
CVE References: CVE-2017-8932
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.7.0-12.1, go-1.7.0-5.2
Comment 7 Swamp Workflow Management 2017-06-22 16:10:33 UTC
openSUSE-SU-2017:1650-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040618
CVE References: CVE-2017-8932
Sources used:
openSUSE Leap 42.2 (src):    go-1.6.2-23.3.3
Comment 11 Swamp Workflow Management 2017-07-26 20:28:31 UTC
SUSE-RU-2017:1965-1: An update that solves one vulnerability and has 17 fixes is now available.

Category: recommended (moderate)
Bug References: 1026827,1028113,1028638,1028639,1030702,1032287,1032644,1032769,1034053,1034063,1037436,1037607,1038476,1038493,1040618,953182,964546,996303
CVE References: CVE-2017-8932
Sources used:
SUSE OpenStack Cloud 6 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, docker-distribution-2.6.1-15.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
OpenStack Cloud Magnum Orchestration 7 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
Comment 12 Jordi Massaguer 2017-07-27 09:57:00 UTC
closing as this has been released
Comment 14 Swamp Workflow Management 2018-05-17 17:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10
Comment 22 Swamp Workflow Management 2018-12-15 08:40:29 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11
Comment 24 Swamp Workflow Management 2018-12-17 15:40:26 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
Comment 25 Swamp Workflow Management 2019-02-27 11:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11
Comment 26 Swamp Workflow Management 2019-03-25 11:10:24 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12