Bug 1040618 – VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P-256

Bug 1040618 - (CVE-2017-8932) VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P-256

(CVE-2017-8932)
Summary:	VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/185867/
Whiteboard:	CVSSv3:RedHat:CVE-2017-8932:4.8:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-05-24 14:40 UTC by Marcus Meissner
Modified:	2019-05-07 10:55 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-05-24 14:40:16 UTC

https://github.com/golang/go/issues/20040

Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations.

This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.

https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c

https://golang.org/cl/41070

Comment 1 Marcus Meissner 2017-05-24 14:44:28 UTC

which go compiled tools speak SSL/HTTPS ?

Comment 2 Flavio Castelli 2017-05-24 16:08:49 UTC

(In reply to Marcus Meissner from comment #1)
> which go compiled tools speak SSL/HTTPS ?

I can think of:

  * etcd
  * kubernetes apiserver
  * docker

Right now the most vulnerable parts are etcd and the kubernetes api-server because they listen to incoming connection. This does not apply to our docker deployments.

I'm going to assign the bug to Thomas Hipp who is following go packaging. I think upstream will publish patch releases of Go. We should update our packages to include the fix.

Adding Jordi too, given he's involved with the release of quite some go-based packages.

Comment 3 Thomas Hipp 2017-05-29 08:05:12 UTC

Upstream has released version 1.8.2 which includes a patch for this issue.

Comment 4 Thomas Hipp 2017-05-30 09:15:47 UTC

All relevant go packages in IBS and OBS have been updated and include the upstream patch.

Comment 5 Bernhard Wiedemann 2017-05-30 10:00:44 UTC

This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/499627 42.2+Backports:SLE-12+Backports:SLE-12-SP1 / go

Comment 6 Swamp Workflow Management 2017-06-22 16:10:16 UTC

openSUSE-SU-2017:1649-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040618
CVE References: CVE-2017-8932
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.7.0-12.1, go-1.7.0-5.2

Comment 7 Swamp Workflow Management 2017-06-22 16:10:33 UTC

openSUSE-SU-2017:1650-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040618
CVE References: CVE-2017-8932
Sources used:
openSUSE Leap 42.2 (src):    go-1.6.2-23.3.3

Comment 11 Swamp Workflow Management 2017-07-26 20:28:31 UTC

SUSE-RU-2017:1965-1: An update that solves one vulnerability and has 17 fixes is now available.

Category: recommended (moderate)
Bug References: 1026827,1028113,1028638,1028639,1030702,1032287,1032644,1032769,1034053,1034063,1037436,1037607,1038476,1038493,1040618,953182,964546,996303
CVE References: CVE-2017-8932
Sources used:
SUSE OpenStack Cloud 6 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, docker-distribution-2.6.1-15.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
OpenStack Cloud Magnum Orchestration 7 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3

Comment 12 Jordi Massaguer 2017-07-27 09:57:00 UTC

closing as this has been released

Comment 14 Swamp Workflow Management 2018-05-17 17:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10

Comment 22 Swamp Workflow Management 2018-12-15 08:40:29 UTC

This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11

Comment 24 Swamp Workflow Management 2018-12-17 15:40:26 UTC

This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11

Comment 25 Swamp Workflow Management 2019-02-27 11:00:28 UTC

This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11

Comment 26 Swamp Workflow Management 2019-03-25 11:10:24 UTC

This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12