FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo

Affected packages
go < 1.15.5,1

Details

VuXML ID db4b2f27-252a-11eb-865c-00155d646400
Discovery 2020-11-09
Entry 2020-11-12

The Go project reports:

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names.

References

CVE Name CVE-2020-28362
CVE Name CVE-2020-28366
CVE Name CVE-2020-28367
URL https://github.com/golang/go/issues/42552
URL https://github.com/golang/go/issues/42556
URL https://github.com/golang/go/issues/42559