Bug 1192377 (CVE-2021-41771)

Summary: VUL-0: CVE-2021-41771: go1.16,go1.17: debug/macho: invalid dynamic symbol table command can cause panic
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41771:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2021-11-05 05:39:30 UTC
Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue

This is CVE-2021-41771 and Go issue go#48990.

References:

https://github.com/golang/go/issues/48990
Comment 1 OBSbugzilla Bot 2021-11-05 07:40:15 UTC
This is an autogenerated message for OBS integration:
This bug (1192377) was mentioned in
https://build.opensuse.org/request/show/929549 Factory / go1.16
https://build.opensuse.org/request/show/929550 Factory / go1.17
Comment 3 Swamp Workflow Management 2021-12-01 20:39:28 UTC
openSUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.17-1.17.3-1.9.1
Comment 4 Swamp Workflow Management 2021-12-01 20:50:32 UTC
SUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.3-1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.17-1.17.3-1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-01 21:16:00 UTC
SUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.16-1.16.10-1.32.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.16-1.16.10-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-12-01 21:32:03 UTC
openSUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.16-1.16.10-1.32.1
Comment 7 Swamp Workflow Management 2021-12-06 17:49:36 UTC
openSUSE-SU-2021:1539-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.16-1.16.10-lp152.17.1