Ubuntu
golang-1.14 package

Ubuntu packages affected by CVE-2020-24553

Bug #1914372 reported by Dariusz Gadomski
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
golang-1.10 (Ubuntu)
Xenial
Fix Released
High
Dariusz Gadomski
Bionic
Fix Released
High
Dariusz Gadomski
golang-1.14 (Ubuntu)
Fix Released
Low
Dariusz Gadomski
Focal
Fix Released
High
Dariusz Gadomski
Groovy
Fix Released
High
Dariusz Gadomski
Hirsute
Fix Released
Low
Dariusz Gadomski
golang-1.15 (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

[Impact]

 Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

[Test Case]

 Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting:

 1. Use the snippet of CGI go code provided and run it: go run poc.go
 2. Run nginx with the config provided to forward the FastCGI calls to the go program.
 3. curl -i -o - http://localhost:8000
 4. Observe the output.

In an affected golang build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png

[Where problems could occur]

 * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it.

[Other Info]

 * It has been specifically backported upstream in release 1.14 series (Starting w/ 1.14.8) as follows:
https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802

$ git tag --contains 8fcee8abbe
go1.14.10
go1.14.11
go1.14.12
go1.14.13
go1.14.14
go1.14.15
go1.14.8
go1.14.9

 * The fix is present in golang-1.15 for hirsute and groovy.

See original description
Tags: sts

CVE References

Dariusz Gadomski (dgadomski)
no longer affects: golang-1.10 (Ubuntu Hirsute)
no longer affects: golang-1.10 (Ubuntu Groovy)
no longer affects: golang-1.10 (Ubuntu Focal)
Changed in golang-1.14 (Ubuntu Xenial):
status: New → Invalid
Changed in golang-1.14 (Ubuntu Bionic):
status: New → Invalid
Changed in golang-1.10 (Ubuntu):
importance: Undecided → High
Changed in golang-1.10 (Ubuntu Xenial):
importance: Undecided → High
Changed in golang-1.10 (Ubuntu Bionic):
importance: Undecided → High
Changed in golang-1.14 (Ubuntu Focal):
importance: Undecided → High
Changed in golang-1.14 (Ubuntu Groovy):
importance: Undecided → High
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Patch proposal for golang-1.14 for Hirsute

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Patch proposal for golang-1.14 on Groovy.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Patch proposal for golang-1.14 on Focal.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Patch proposal for golang-1.10 on Bionic.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Patch proposal for golang-1.10 on Xenial.

Dariusz Gadomski (dgadomski)
description: updated
Mathew Hodson (mhodson)
no longer affects: golang-1.14 (Ubuntu Xenial)
no longer affects: golang-1.14 (Ubuntu Bionic)
no longer affects: golang-1.10 (Ubuntu)
Eric Desrochers (slashd)
description: updated
Changed in golang-1.15 (Ubuntu):
status: New → Fix Released
Changed in golang-1.14 (Ubuntu Hirsute):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in golang-1.14 (Ubuntu Groovy):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in golang-1.14 (Ubuntu Focal):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in golang-1.10 (Ubuntu Bionic):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in golang-1.10 (Ubuntu Xenial):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in golang-1.14 (Ubuntu Hirsute):
status: New → In Progress
Changed in golang-1.14 (Ubuntu Groovy):
status: New → In Progress
Changed in golang-1.14 (Ubuntu Focal):
status: New → In Progress
Changed in golang-1.10 (Ubuntu Xenial):
status: New → In Progress
Changed in golang-1.10 (Ubuntu Bionic):
status: New → In Progress
description: updated
Revision history for this message
Avital Ostromich (avital) wrote :

Thank you for the debdiffs, all the golang-1.14 diffs built without issue. Both the patched golang-1.10 builds failed due to matryoshka_test.go, which is no longer present in golang-1.14:

2021/02/10 01:34:37 cgi: copy error: write tcp 127.0.0.1:39673->127.0.0.1:41144: write: broken pipe
--- FAIL: TestHostingOurselves (0.01s)
 matryoshka_test.go:56: got a Content-Type of "text/plain; charset=utf-8"; expected "text/html; charset=utf-8"
2021/02/10 01:34:37 cgi: copy error: past write limit
2021/02/10 01:34:37 cgi: no headers
2021/02/10 01:34:37 cgi: missing required Content-Type in headers
2021/02/10 01:34:37 cgi: no headers

I'll be taking a closer look tomorrow but if you have any insights, please let me know.
Other than that, I just updated the changelogs to match the security update template https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging and will be setting the bionic version to 1.10.4-2ubuntu1~18.04.2 instead of 1.10.4-2ubuntu2~18.04.2

Thanks!

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Thanks for looking at it. I've checked matryoshka_test.go and looks like it was expecting the old default Content-Type: text/html, while after applying the patch the new default is text/plain.

I've updated the debdiffs and will upload them shortly (for x and b).

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Xenial patch (with matryoshka_test.go fixed).

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Bionic patch with corrected versioning (and matryoshka_test.go fixed)

Revision history for this message
Avital Ostromich (avital) wrote :

The patched update is now uploaded to the security proposed PPA here: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ (Hirsute is still building ATM)
If anyone has the time to help test any of the packages before they're uploaded to the archive, it would be appreciated :)

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Thank you Avital.

I have just tested golang-1.10 for Xenial and Bionic and the behavior is exactly as expected for a fixed version.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

I have just repeated the testing procedure for golang-1.14 on Focal, Groovy and Hirsute.
The test results look correct and consistent with what is expected according to the test case.

Revision history for this message
Avital Ostromich (avital) wrote :

Thank you so much Dariusz! All the smoke tests look good as well so it's ready to push out Monday.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-1.10 - 1.10.4-2ubuntu1~18.04.2

---------------
golang-1.10 (1.10.4-2ubuntu1~18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
    - debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
      net/http/cgi and net/http/fcgi.
    - CVE-2020-24553

 -- Dariusz Gadomski <email address hidden> Wed, 03 Feb 2021 08:42:42 +0100

Changed in golang-1.10 (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-1.10 - 1.10.4-2ubuntu1~16.04.2

---------------
golang-1.10 (1.10.4-2ubuntu1~16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
    - debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
      net/http/cgi and net/http/fcgi.
    - CVE-2020-24553

 -- Dariusz Gadomski <email address hidden> Wed, 03 Feb 2021 10:11:12 +0100

Changed in golang-1.10 (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-1.14 - 1.14.3-2ubuntu2~20.04.2

---------------
golang-1.14 (1.14.3-2ubuntu2~20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
    - debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
      net/http/cgi and net/http/fcgi.
    - CVE-2020-24553

 -- Dariusz Gadomski <email address hidden> Wed, 03 Feb 2021 10:03:32 +0100

Changed in golang-1.14 (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-1.14 - 1.14.7-2ubuntu1.1

---------------
golang-1.14 (1.14.7-2ubuntu1.1) groovy-security; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
    - debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
      net/http/cgi and net/http/fcgi.
    - CVE-2020-24553

 -- Dariusz Gadomski <email address hidden> Wed, 03 Feb 2021 09:59:58 +0100

Changed in golang-1.14 (Ubuntu Groovy):
status: In Progress → Fix Released
Mathew Hodson (mhodson)
Changed in golang-1.14 (Ubuntu Hirsute):
importance: High → Low
Changed in golang-1.15 (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-1.14 - 1.14.7-2ubuntu2

---------------
golang-1.14 (1.14.7-2ubuntu2) hirsute; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
    - debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
      net/http/cgi and net/http/fcgi.
    - CVE-2020-24553

 -- Dariusz Gadomski <email address hidden> Wed, 03 Feb 2021 09:44:21 +0100

Changed in golang-1.14 (Ubuntu Hirsute):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.