vulnerability

FreeBSD: VID-6A4805D5-5AAF-11EB-A21D-79F5BC5EF6A9 (CVE-2021-3115): go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:H/Au:N/C:P/I:P/A:P)	2021-01-13	2021-01-20	2021-03-08

Severity

CVSS

(AV:N/AC:H/Au:N/C:P/I:P/A:P)

Published

2021-01-13

Added

2021-01-20

Modified

2021-03-08

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-6A4805D5-5AAF-11EB-A21D-79F5BC5EF6A9:

The Go project reports:

The go command may execute arbitrary code at build time when cgo is

in use on Windows. This may occur when running "go get", or

any other command that builds code. Only users who build untrusted

code (and don't execute it) are affected. In addition to Windows

users, this can also affect Unix users who have "." listed

explicitly in their PATH and are running "go get" or build

commands outside of a module or with module mode disabled.

The P224() Curve implementation can in rare circumstances generate

incorrect outputs, including returning invalid points from

ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not

crypto/tls) packages support P-224 ECDSA keys, but they are not

supported by publicly trusted certificate authorities. No other

standard library or golang.org/x/crypto package supports or uses the

P-224 curve.

Solution

freebsd-upgrade-package-go

References

NVD-CVE-2021-3115

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today