Bug 1691529 (CVE-2019-11840) - CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
Summary: CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly ...
Keywords:
Status: NEW
Alias: CVE-2019-11840
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190320,repor...
Depends On: 1691532 1691533 1693042 1713176 1691530 1691531 1694799
Blocks: 1691535
TreeView+ depends on / blocked
 
Reported: 2019-03-21 20:17 UTC by Pedro Sampaio
Modified: 2019-09-18 22:53 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-03-21 20:17:14 UTC
A flaw was found in  the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Upstream patch:

https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d

References:

https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ

Comment 1 Pedro Sampaio 2019-03-21 20:17:38 UTC
Created golang-googlecode-go-crypto tracking bugs for this issue:

Affects: epel-all [bug 1691531]
Affects: fedora-all [bug 1691530]


Created gomtree tracking bugs for this issue:

Affects: fedora-all [bug 1691532]


Created source-to-image tracking bugs for this issue:

Affects: fedora-all [bug 1691533]

Comment 2 Scott Gayou 2019-03-26 18:59:51 UTC
Notes on if gomtree is impacted:

gomtree upstream: https://github.com/vbatts/go-mtree
(gomtree is just the cli output binary, see cmd/gomtree)
gomtree includes nacl box. (https://godoc.org/golang.org/x/crypto/nacl/box)
nacl box includes "golang.org/x/crypto/salsa20/salsa".

Can't find any uses of salsa or box in the actual gomtree source code. Grepping strings in the binary shows no instances of these either. I think the salsa20 is just an artifact.

sals20 was deleted upstream in this commit:

https://github.com/vbatts/go-mtree/commit/94a6c46bde3ce60a3ea448136730e5c331eed85b

I think glide was pulling in all of salsa via this in glide.yaml:

import:
- package: golang.org/x/crypto
  subpackages:
  - ripemd160

Unclear where box was coming from. Nevertheless, I believe gomtree isn't affected.

Comment 4 Scott Gayou 2019-03-27 17:02:02 UTC
Same thing with source-to-image. Salsa20 looks to be a dependency, but I believe that is because it's pulling down x/crypto again.

```
- package: golang.org/x/crypto
  version: 81e90905daefcd6fd217b62423c0908922eadb30
```

I didn't find any usages of it in the code after a quick glance.

Comment 5 Scott Gayou 2019-03-28 17:24:39 UTC
mongodb 3.4 looks unaffected. crypto lib only appears to be used in ./common/password/pass_util.go. Godeps pulls down all of crypto to the best of my knowledge.

`golang.org/x/crypto                     1f22c0103821b9390939b6776727195525381532    github.com/golang/crypto`

Comment 6 Scott Gayou 2019-03-28 17:30:23 UTC
Same result for mongodb 3.6.3

Comment 7 Scott Gayou 2019-03-28 18:16:22 UTC
Same result for mongo-tools. Pulls down crypto deps, doesn't appear to make use of salsa20.


Note You need to log in before you can comment on or make changes to this bug.