https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Bug ID: 1455189 Summary: CVE-2017-8932 golang: Elliptic curvers carry propagation issue in x86-64 P-256 Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: admiller@redhat.com, amurdaca@redhat.com, aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, chrisw@redhat.com, cvsbot-xmlrpc@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, golang-updates@lists.fedoraproject.org, jcajka@redhat.com, jgoulding@redhat.com, jjoyce@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jschluet@redhat.com, kbasil@redhat.com, kseifried@redhat.com, lemenkov@gmail.com, lhh@redhat.com, lpeer@redhat.com, markmc@redhat.com, rbryant@redhat.com, renich@woralelandia.com, sclewis@redhat.com, s@shk.io, tdecacqu@redhat.com, ttomecek@redhat.com, vbatts@redhat.com
A carry propagation issue was found in the P-256 implementation for x86-64 in golang.
Upstream issue:
https://github.com/golang/go/issues/20040
Upstream patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |golang 1.7.6, golang 1.8.2
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2017-8932 golang: |CVE-2017-8932 golang: |Elliptic curvers carry |Elliptic curves carry |propagation issue in x86-64 |propagation issue in x86-64 |P-256 |P-256
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1455191, 1455190
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created golang tracking bugs for this issue:
Affects: epel-6 [bug 1455190] Affects: fedora-all [bug 1455191]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1455190 [Bug 1455190] CVE-2017-8932 golang: Elliptic curvers carry propagation issue in x86-64 P-256 [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1455191 [Bug 1455191] CVE-2017-8932 golang: Elliptic curvers carry propagation issue in x86-64 P-256 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1455195
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0523,reported=20170524,sour |0523,reported=20170524,sour |ce=redhat,cvss3=4.8/CVSS:3. |ce=redhat,cvss3=4.8/CVSS:3. |0/AV:N/AC:H/PR:N/UI:N/S:U/C |0/AV:N/AC:H/PR:N/UI:N/S:U/C |:L/I:L/A:N,cwe=CWE-682,fedo |:L/I:L/A:N,cwe=CWE-682,fedo |ra-all/golang=affected,epel |ra-all/golang=affected,epel |-6/golang=affected,rhel-7/g |-6/golang=affected,rhel-7/g |olang=new,openshift-enterpr |olang=new,openshift-enterpr |ise-3/golang=new,openstack- |ise-3/golang=new,openstack- |8-optools/golang=new,openst |8-optools/golang=wontfix,op |ack-9-optools/golang=new |enstack-9-optools/golang=wo | |ntfix
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0523,reported=20170524,sour |0523,reported=20170524,sour |ce=redhat,cvss3=4.8/CVSS:3. |ce=redhat,cvss3=4.8/CVSS:3. |0/AV:N/AC:H/PR:N/UI:N/S:U/C |0/AV:N/AC:H/PR:N/UI:N/S:U/C |:L/I:L/A:N,cwe=CWE-682,fedo |:L/I:L/A:N,cwe=CWE-682,fedo |ra-all/golang=affected,epel |ra-all/golang=affected,epel |-6/golang=affected,rhel-7/g |-6/golang=affected,rhel-7/g |olang=new,openshift-enterpr |olang=affected,openshift-en |ise-3/golang=new,openstack- |terprise-3/golang=new,opens |8-optools/golang=wontfix,op |tack-8-optools/golang=wontf |enstack-9-optools/golang=wo |ix,openstack-9-optools/gola |ntfix |ng=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1457169
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Martin Cermak mcermak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mcermak@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
--- Doc Text *updated* by Huzaifa S. Sidhpurwala huzaifas@redhat.com --- A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang.
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1415638
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Eric Christensen sparks@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |huzaifas@redhat.com Flags|requires_doc_text+ |needinfo?(huzaifas@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
--- Doc Text *updated* by Huzaifa S. Sidhpurwala huzaifas@redhat.com --- A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could use this flaw to extract private keys when static ECDH is used.
https://bugzilla.redhat.com/show_bug.cgi?id=1455189 Bug 1455189 depends on bug 1455190, which changed state.
Bug 1455190 Summary: CVE-2017-8932 golang: Elliptic curvers carry propagation issue in x86-64 P-256 [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1455190
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0523,reported=20170524,sour |0523,reported=20170524,sour |ce=redhat,cvss3=4.8/CVSS:3. |ce=internet,cvss3=4.8/CVSS: |0/AV:N/AC:H/PR:N/UI:N/S:U/C |3.0/AV:N/AC:H/PR:N/UI:N/S:U |:L/I:L/A:N,cwe=CWE-682,fedo |/C:L/I:L/A:N,cwe=CWE-682,fe |ra-all/golang=affected,epel |dora-all/golang=affected,ep |-6/golang=affected,rhel-7/g |el-6/golang=affected,rhel-7 |olang=affected,openshift-en |/golang=affected,openshift- |terprise-3/golang=new,opens |enterprise-3/golang=new,ope |tack-8-optools/golang=wontf |nstack-8-optools/golang=won |ix,openstack-9-optools/gola |tfix,openstack-9-optools/go |ng=wontfix |lang=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
--- Doc Text *updated* by Tomas Hoger thoger@redhat.com --- A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could possibly use this flaw to extract private keys when static ECDH was used.
https://bugzilla.redhat.com/show_bug.cgi?id=1455189
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1859 https://access.redhat.com/errata/RHSA-2017:1859
https://bugzilla.redhat.com/show_bug.cgi?id=1455189 Bug 1455189 depends on bug 1455191, which changed state.
Bug 1455191 Summary: CVE-2017-8932 golang: Elliptic curvers carry propagation issue in x86-64 P-256 [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1455191
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |CURRENTRELEASE
golang-updates@lists.stg.fedoraproject.org