[ASA-201901-10] go-pie: private key recovery

Morten Linderud foxboron at archlinux.org
Mon Jan 28 21:30:25 UTC 2019


Arch Linux Security Advisory ASA-201901-10
==========================================

Severity: Medium
Date    : 2019-01-24
CVE-ID  : CVE-2019-6486
Package : go-pie
Type    : private key recovery
Remote  : Yes
Link    : https://security.archlinux.org/AVG-859

Summary
=======

The package go-pie before version 2:1.11.5-1 is vulnerable to private
key recovery.

Resolution
==========

Upgrade to 2:1.11.5-1.

# pacman -Syu "go-pie>=2:1.11.5-1"

The problem has been fixed upstream in version 1.11.5.

Workaround
==========

None.

Description
===========

Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.

Impact
======

A remote attacker can crash the system with maliciously crafted input,
or recover the private key.

References
==========

https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903
https://github.com/golang/go/commit/42b42f71
https://security.archlinux.org/CVE-2019-6486
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190128/39738e31/attachment.asc>


More information about the arch-security mailing list