Bug 1040618 - (CVE-2017-8932) VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P-256
(CVE-2017-8932)
VUL-0: CVE-2017-8932: go: Elliptic curves carry propagation issue in x86-64 P...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/185867/
CVSSv3:RedHat:CVE-2017-8932:4.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-24 14:40 UTC by Marcus Meissner
Modified: 2019-05-07 10:55 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-05-24 14:40:16 UTC
https://github.com/golang/go/issues/20040

Cloudflare reported a carry bug in the P-256 implementation that they submitted for x86-64 in 7bacfc6. I can reproduce this via random testing against BoringSSL and, after applying the patch that they provided, can no longer do so, even after ~231 iterations.

This issue is not obviously exploitable, although we cannot rule out the possibility of someone managing to squeeze something through this hole. (It would be a cool paper.) Thus this should be treated as something to fix, but not something on fire, based on what we currently know.

https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c

https://golang.org/cl/41070
Comment 1 Marcus Meissner 2017-05-24 14:44:28 UTC
which go compiled tools speak SSL/HTTPS ?
Comment 2 Flavio Castelli 2017-05-24 16:08:49 UTC
(In reply to Marcus Meissner from comment #1)
> which go compiled tools speak SSL/HTTPS ?

I can think of:

  * etcd
  * kubernetes apiserver
  * docker

Right now the most vulnerable parts are etcd and the kubernetes api-server because they listen to incoming connection. This does not apply to our docker deployments.

I'm going to assign the bug to Thomas Hipp who is following go packaging. I think upstream will publish patch releases of Go. We should update our packages to include the fix.

Adding Jordi too, given he's involved with the release of quite some go-based packages.
Comment 3 Thomas Hipp 2017-05-29 08:05:12 UTC
Upstream has released version 1.8.2 which includes a patch for this issue.
Comment 4 Thomas Hipp 2017-05-30 09:15:47 UTC
All relevant go packages in IBS and OBS have been updated and include the upstream patch.
Comment 5 Bernhard Wiedemann 2017-05-30 10:00:44 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/499627 42.2+Backports:SLE-12+Backports:SLE-12-SP1 / go
Comment 6 Swamp Workflow Management 2017-06-22 16:10:16 UTC
openSUSE-SU-2017:1649-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040618
CVE References: CVE-2017-8932
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.7.0-12.1, go-1.7.0-5.2
Comment 7 Swamp Workflow Management 2017-06-22 16:10:33 UTC
openSUSE-SU-2017:1650-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040618
CVE References: CVE-2017-8932
Sources used:
openSUSE Leap 42.2 (src):    go-1.6.2-23.3.3
Comment 11 Swamp Workflow Management 2017-07-26 20:28:31 UTC
SUSE-RU-2017:1965-1: An update that solves one vulnerability and has 17 fixes is now available.

Category: recommended (moderate)
Bug References: 1026827,1028113,1028638,1028639,1030702,1032287,1032644,1032769,1034053,1034063,1037436,1037607,1038476,1038493,1040618,953182,964546,996303
CVE References: CVE-2017-8932
Sources used:
SUSE OpenStack Cloud 6 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, docker-distribution-2.6.1-15.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
OpenStack Cloud Magnum Orchestration 7 (src):    containerd-0.2.5+gitr639_422e31c-20.2, docker-17.04.0_ce-98.2, golang-github-docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1, runc-0.1.1+gitr2947_9c2d8d1-20.3
Comment 12 Jordi Massaguer 2017-07-27 09:57:00 UTC
closing as this has been released
Comment 14 Swamp Workflow Management 2018-05-17 17:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10
Comment 22 Swamp Workflow Management 2018-12-15 08:40:29 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11
Comment 24 Swamp Workflow Management 2018-12-17 15:40:26 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
Comment 25 Swamp Workflow Management 2019-02-27 11:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11
Comment 26 Swamp Workflow Management 2019-03-25 11:10:24 UTC
This is an autogenerated message for OBS integration:
This bug (1040618) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12