Bug 1192377 - (CVE-2021-41771) VUL-0: CVE-2021-41771: go1.16,go1.17: debug/macho: invalid dynamic symbol table command can cause panic
(CVE-2021-41771)
VUL-0: CVE-2021-41771: go1.16,go1.17: debug/macho: invalid dynamic symbol tab...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-05 05:39 UTC by Jeff Kowalczyk
Modified: 2022-04-13 07:25 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2021-11-05 05:39:30 UTC
Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue

This is CVE-2021-41771 and Go issue go#48990.

References:

https://github.com/golang/go/issues/48990
Comment 1 OBSbugzilla Bot 2021-11-05 07:40:15 UTC
This is an autogenerated message for OBS integration:
This bug (1192377) was mentioned in
https://build.opensuse.org/request/show/929549 Factory / go1.16
https://build.opensuse.org/request/show/929550 Factory / go1.17
Comment 3 Swamp Workflow Management 2021-12-01 20:39:28 UTC
openSUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.17-1.17.3-1.9.1
Comment 4 Swamp Workflow Management 2021-12-01 20:50:32 UTC
SUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.3-1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.17-1.17.3-1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-01 21:16:00 UTC
SUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.16-1.16.10-1.32.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.16-1.16.10-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-12-01 21:32:03 UTC
openSUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.16-1.16.10-1.32.1
Comment 7 Swamp Workflow Management 2021-12-06 17:49:36 UTC
openSUSE-SU-2021:1539-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.16-1.16.10-lp152.17.1