Bug 1691529 (CVE-2019-11840) - CVE-2019-11840 golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
Summary: CVE-2019-11840 golang.org/x/crypto: Keystream loop in amd64 assembly when ove...
Alias: CVE-2019-11840
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1691530 1691531 1691532 1691533 1693042 1694799 1713176 1855173
Blocks: 1691535
TreeView+ depends on / blocked
Reported: 2019-03-21 20:17 UTC by Pedro Sampaio
Modified: 2021-02-23 17:33 UTC (History)
41 users (show)

Fixed In Version: golang.org/x/crypto v0.0.0-0.20190320223903-b7391e95e576
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-01-20 17:59:13 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0079 0 None None None 2021-01-20 16:52:41 UTC

Description Pedro Sampaio 2019-03-21 20:17:14 UTC
A flaw was found in  the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Upstream patch:




Comment 1 Pedro Sampaio 2019-03-21 20:17:38 UTC
Created golang-googlecode-go-crypto tracking bugs for this issue:

Affects: epel-all [bug 1691531]
Affects: fedora-all [bug 1691530]

Created gomtree tracking bugs for this issue:

Affects: fedora-all [bug 1691532]

Created source-to-image tracking bugs for this issue:

Affects: fedora-all [bug 1691533]

Comment 2 Scott Gayou 2019-03-26 18:59:51 UTC
Notes on if gomtree is impacted:

gomtree upstream: https://github.com/vbatts/go-mtree
(gomtree is just the cli output binary, see cmd/gomtree)
gomtree includes nacl box. (https://godoc.org/golang.org/x/crypto/nacl/box)
nacl box includes "golang.org/x/crypto/salsa20/salsa".

Can't find any uses of salsa or box in the actual gomtree source code. Grepping strings in the binary shows no instances of these either. I think the salsa20 is just an artifact.

sals20 was deleted upstream in this commit:


I think glide was pulling in all of salsa via this in glide.yaml:

- package: golang.org/x/crypto
  - ripemd160

Unclear where box was coming from. Nevertheless, I believe gomtree isn't affected.

Comment 4 Scott Gayou 2019-03-27 17:02:02 UTC
Same thing with source-to-image. Salsa20 looks to be a dependency, but I believe that is because it's pulling down x/crypto again.

- package: golang.org/x/crypto
  version: 81e90905daefcd6fd217b62423c0908922eadb30

I didn't find any usages of it in the code after a quick glance.

Comment 5 Scott Gayou 2019-03-28 17:24:39 UTC
mongodb 3.4 looks unaffected. crypto lib only appears to be used in ./common/password/pass_util.go. Godeps pulls down all of crypto to the best of my knowledge.

`golang.org/x/crypto                     1f22c0103821b9390939b6776727195525381532    github.com/golang/crypto`

Comment 6 Scott Gayou 2019-03-28 17:30:23 UTC
Same result for mongodb 3.6.3

Comment 7 Scott Gayou 2019-03-28 18:16:22 UTC
Same result for mongo-tools. Pulls down crypto deps, doesn't appear to make use of salsa20.

Comment 14 Sam Fowler 2020-07-09 07:02:35 UTC
Fixed in origin in 4.3.0:


Comment 16 Sam Fowler 2020-07-09 07:11:57 UTC
External References:


Comment 17 errata-xmlrpc 2021-01-20 16:52:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:0079 https://access.redhat.com/errata/RHSA-2021:0079

Comment 18 Product Security DevOps Team 2021-01-20 17:59:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.