Bug 1897643 (CVE-2020-28366)

Summary: CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, amctagga, amurdaca, aos-bugs, aos-storage-staff, asm, bbreard, bbrownin, bmontgom, bodavis, chazlett, cnv-qe-bugs, deparker, emachado, eparis, erooth, fdeutsch, fweimer, gbrown, hchiramm, himadhav, hvyas, imcleod, jakub, jburrell, jcajka, jmulligan, jokerman, jpadman, jshaughn, jwendell, jwon, kconner, krathod, law, lemenkov, madam, markito, mcooper, miabbott, mnewsome, mpolacek, nstielau, ohudlick, puebele, rcernich, renich, rhs-bugs, rrajasek, rtalur, sipoyare, sponnaga, stirabos, storage-qa-internal, tjelinek, tstellar, twalsh, vbatts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/SRVCOM-1153
https://issues.redhat.com/browse/SRVCOM-1154
https://issues.redhat.com/browse/SRVCOM-1155
Whiteboard:
Fixed In Version: go 1.15.5, go 1.14.12 Doc Type: If docs needed, set a value
Doc Text:
An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 22:19:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1897644, 1897645, 1898648, 1898649, 1898821, 1898832, 1898837, 1898956, 1899184, 1905306, 1906663    
Bug Blocks: 1897653    

Description Guilherme de Almeida Suckevicz 2020-11-13 17:09:20 UTC 
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names. This has been fixed by rejecting invalid symbols which may add a //go:cgo_ldflag directive to the generated file, and by ensuring that the go tool follows existing LDFLAG restrictions.

References:
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
https://github.com/golang/go/issues/42559
Comment 1 Guilherme de Almeida Suckevicz 2020-11-13 17:09:57 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1897645]
Affects: fedora-all [bug 1897644]
Comment 4 Mark Cooper 2020-11-19 01:49:28 UTC 
External References:

https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
Comment 7 Mark Cooper 2020-11-19 03:40:37 UTC 
Upstream fix: https://github.com/golang/go/commit/062e0e5ce6df339dc26732438ad771f73dbf2292
Comment 9 Mark Cooper 2020-11-19 07:38:39 UTC 
Mitigation:

If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`.  

For example:
    CGO_ENABLED=0 go get github.com/someproject

This will not stop the files being downloaded, but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files.  Of course this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.
Comment 10 errata-xmlrpc 2020-12-03 11:19:19 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:5333 https://access.redhat.com/errata/RHSA-2020:5333
Comment 13 Sage McTaggart 2020-12-08 22:48:14 UTC 
Statement:

While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ),  OpenShift Service Mesh (OSSM)  and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself. Such as using `go get` or `go build` and as such the relevant components have been marked as not affected.

Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM and OpenShift Virtualization are represented due to the large volume of not affected components.

Red Hat Ceph Storage 3 ships the vulnerable version of go, and an attacker building go code on RHCS 3 could potentially exploit this vulnerability.
Comment 16 errata-xmlrpc 2020-12-15 17:06:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5493 https://access.redhat.com/errata/RHSA-2020:5493
Comment 17 Product Security DevOps Team 2020-12-15 22:19:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28366
Comment 18 errata-xmlrpc 2021-01-14 13:38:54 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:0145 https://access.redhat.com/errata/RHSA-2021:0145
Comment 19 errata-xmlrpc 2021-01-14 16:30:47 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.12

Via RHSA-2021:0146 https://access.redhat.com/errata/RHSA-2021:0146