Update Golang 1.13.7, x/crypto (CVE-2020-0601, CVE-2020-7919) by thaJeztah · Pull Request #3987 · containerd/containerd

thaJeztah · 2020-01-28T17:40:18Z

Update Golang 1.13.7

full diff: golang/go@go1.13.6...go1.13.7

go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates
the CVE-2020-0601 certificate verification bypass on Windows. The other affects
only 32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved

X.509 certificate validation bypass on Windows 10
A Windows vulnerability allows attackers to spoof valid certificate chains when
the system root store is in use. These releases include a mitigation for Go
applications, but it’s strongly recommended that affected users install the
Windows security update to protect their system.
This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1

full diff: golang/crypto@60c769a...69ecbb4

Includes golang/crypto@69ecbb4
(forward-port of golang/crypto@8b5121b),
which fixes CVE-2020-7919:

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

full diff: golang/go@go1.13.6...go1.13.7 go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <[email protected]>

thaJeztah · 2020-01-28T17:41:07Z

looking at updating golang.org/x/crypto, but the commit was done in a go1.13 release branch (golang/crypto@8b5121be2f68) trying to find if it's on master as well

thaJeztah · 2020-01-28T17:42:55Z

LOL, I was too fast; it's merged a minute ago; golang/crypto@69ecbb4

…0884e1 full diff: golang/crypto@60c769a...69ecbb4 Includes golang/crypto@69ecbb4 (forward-port of golang/crypto@8b5121b), to address CVE-2020-7919: Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. Signed-off-by: Sebastiaan van Stijn <[email protected]>

theopenlab-ci · 2020-01-28T17:53:22Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 5m 44s (non-voting)

dims · 2020-01-28T21:19:54Z

hmmm .... same failure on all 3 branches

--- FAIL: TestLosetup (0.14s)
    --- FAIL: TestLosetup/RemoveLoopDevicesAssociatedWithImage (0.05s)
        losetup_test.go:90: assertion failed: error is not nil: losetup --detach /dev/loop4
            error: losetup: /dev/loop4: detach failed: No such device or address

codecov-io · 2020-01-29T05:09:51Z

Codecov Report

Merging #3987 into master will not change coverage.
The diff coverage is n/a.

@@          Coverage Diff           @@
##           master   #3987   +/-   ##
======================================
  Coverage      46%     46%           
======================================
  Files         117     117           
  Lines       11829   11829           
======================================
  Hits         5442    5442           
  Misses       5469    5469           
  Partials      918     918

Flag	Coverage Δ
#linux	`46% <ø> (ø)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d3b4257...2002411. Read the comment docs.

fuweid

LGTM

estesp

LGTM

thaJeztah changed the title ~~Update Golang 1.13.7 (CVE-2020-0601, CVE-2020-7919)~~ Update Golang 1.13.7, x/crypto (CVE-2020-0601, CVE-2020-7919) Jan 28, 2020

fuweid approved these changes Jan 29, 2020

View reviewed changes

estesp approved these changes Jan 29, 2020

View reviewed changes

estesp merged commit a07cb9d into containerd:master Jan 29, 2020

thaJeztah deleted the bump_golang_1.13.7 branch January 29, 2020 09:18

This was referenced Feb 26, 2020

[release/1.2 backport] Update to Golang 1.13.8 #4060

Merged

[release/1.3 backport] Update to Golang 1.13.8 #4069

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update Golang 1.13.7, x/crypto (CVE-2020-0601, CVE-2020-7919)#3987

Update Golang 1.13.7, x/crypto (CVE-2020-0601, CVE-2020-7919)#3987
estesp merged 2 commits intocontainerd:masterfrom
thaJeztah:bump_golang_1.13.7

thaJeztah commented Jan 28, 2020 •

edited

Loading

Uh oh!

thaJeztah commented Jan 28, 2020

Uh oh!

thaJeztah commented Jan 28, 2020

Uh oh!

theopenlab-ci Bot commented Jan 28, 2020

Uh oh!

dims commented Jan 28, 2020

Uh oh!

codecov-io commented Jan 29, 2020 •

edited

Loading

Uh oh!

fuweid left a comment

Uh oh!

estesp left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

thaJeztah commented Jan 28, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!