Bug 1353798 (CVE-2016-5386)

Summary: CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request header
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, admiller, amurdaca, anemec, aortega, apevec, ayoung, bleanhar, ccoleman, chrisw, cvsbot-xmlrpc, dmcphers, dmoppert, golang-updates, jakub, jcajka, jialiu, jjoyce, jkeck, jokerman, jschluet, kbasil, kseifried, law, lemenkov, lhh, lmeyer, lpeer, markmc, mburns, mcermak, mmccomas, mpolacek, ohudlick, rbryant, renich, rfortier, sclewis, security-response-team, sgirijan, sisharma, slinaber, slong, smohan, sparks, srevivo, ssaha, s, tdawson, tdecacqu, vbatts, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Go 1.6.3, Go 1.7rc2 Doc Type: If docs needed, set a value
Doc Text:
An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-13 08:59:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1327920, 1327921, 1357601, 1357602, 1358278, 1358279    
Bug Blocks: 1353762    

Description Kurt Seifried 2016-07-08 03:27:25 UTC 
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The Go programming language can automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.
Comment 1 Kurt Seifried 2016-07-08 03:27:41 UTC 
Acknowledgments:

Name: Scott Geary (VendHQ)
Comment 2 Doran Moppert 2016-07-08 05:49:05 UTC 
To go package "net/http" honours $HTTP_PROXY as well as $http_proxy when making outbound requests, making CGI programs written in go vulnerable.

Go HTTP servers that do not invoke CGI scripts are not directly vulnerable:

  - the HTTP_PROXY var is not set in the server process's environment
  - the HTTP_PROXY var is not set in subprocesses launched directly by os.exec
Comment 4 Stefan Cornelius 2016-07-18 15:35:24 UTC 
Created golang tracking bugs for this issue:

Affects: epel-6 [bug 1357601]
Affects: fedora-all [bug 1357602]
Comment 8 Summer Long 2016-07-26 00:52:17 UTC 
Upstream announcement on golang-announce mailing list:

https://groups.google.com/forum/#!topic/golang-announce/7jZDOQ8f8tM

[security] Go 1.6.3 and 1.7rc2 are released

Chris Broadfoot 	
Jul 19

A security-related issue was recently reported in Go's net/http/cgi package and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 will contain a fix for this issue.

Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in the CGI components resulting in the HTTP_PROXY environment variable being set by the incoming Proxy header. This environment variable was also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.

This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405

The Go team would like to thank Dominic Scheirlinck for coordinating disclosure of this issue across multiple languages and CGI environments. Read more about "httpoxy" here: https://httpoxy.org/

Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354 for details.

Downloads are available at https://golang.org/dl for all supported platforms.

Cheers,
Chris (on behalf of the Go team)
Comment 13 Fedora Update System 2016-07-28 23:54:27 UTC 
golang-1.6.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2016-07-29 02:51:36 UTC 
golang-1.5.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2016-08-02 18:25:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1538 https://rhn.redhat.com/errata/RHSA-2016-1538.html