vulnerability
FreeBSD: VID-DB4B2F27-252A-11EB-865C-00155D646400 (CVE-2020-28366): go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:H/Au:N/C:P/I:P/A:P) | Nov 9, 2020 | Nov 13, 2020 | Dec 16, 2020 |
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-DB4B2F27-252A-11EB-865C-00155D646400:
The Go project reports:
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem,
QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic
when provided crafted large inputs. For the panic to happen,
the divisor or modulo argument must be larger than 3168 bits
(on 32-bit architectures) or 6336 bits (on 64-bit architectures).
Multiple math/big.Rat methods are similarly affected.
The go command may execute arbitrary code at build time when
cgo is in use. This may occur when running go get on a malicious
package, or any other command that builds untrusted code. This
can be caused by a malicious gcc flags specified via a #cgo
directive.
The go command may execute arbitrary code at build time when
cgo is in use. This may occur when running go get on a malicious
package, or any other command that builds untrusted code. This
can be caused by malicious unquoted symbol names.
Solution
References
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.