ALAS-2022-1583


Amazon Linux 1 Security Advisory: ALAS-2022-1583
Advisory Release Date: 2022-04-25 15:59 Pacific
Advisory Updated Date: 2024-01-03 22:37 Pacific
Severity: Important

Issue Overview:

2024-01-03: CVE-2021-27919 was added to this advisory.

An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS). (CVE-2021-27919)

A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. (CVE-2021-38297)

An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (CVE-2021-41771)

A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. (CVE-2021-41772)

There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. (CVE-2021-44716)

There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec(). (CVE-2021-44717)


Affected Packages:

golang


Issue Correction:
Run yum update golang to update your system.

New Packages:
i686:
    golang-shared-1.16.15-1.37.amzn1.i686
    golang-1.16.15-1.37.amzn1.i686
    golang-bin-1.16.15-1.37.amzn1.i686

noarch:
    golang-docs-1.16.15-1.37.amzn1.noarch
    golang-tests-1.16.15-1.37.amzn1.noarch
    golang-misc-1.16.15-1.37.amzn1.noarch
    golang-src-1.16.15-1.37.amzn1.noarch

src:
    golang-1.16.15-1.37.amzn1.src

x86_64:
    golang-bin-1.16.15-1.37.amzn1.x86_64
    golang-1.16.15-1.37.amzn1.x86_64
    golang-race-1.16.15-1.37.amzn1.x86_64
    golang-shared-1.16.15-1.37.amzn1.x86_64