FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- multiple vulnerabilities

Affected packages
go119 < 1.19.12
go120 < 1.20.7

Details

VuXML ID 78f2e491-312d-11ee-85f2-bd89b893fcb4
Discovery 2023-04-27
Entry 2023-08-02

The Go project reports:

crypto/tls: restrict RSA keys in certificates to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits.

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

cmd/go: cgo code injection

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.

runtime: unexpected behavior of setuid/setgid binaries

The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers.

cmd/go: improper sanitization of LDFLAGS

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.

html/template: improper sanitization of CSS values

Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.

html/template: improper handling of JavaScript whitespace

Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

html/template: improper handling of empty HTML attributes

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

References

CVE Name CVE-2023-24539
CVE Name CVE-2023-24540
CVE Name CVE-2023-29400
CVE Name CVE-2023-29402
CVE Name CVE-2023-29403
CVE Name CVE-2023-29404
CVE Name CVE-2023-29406
URL https://groups.google.com/u/1/g/golang-announce/c/2q13H6LEEx0
URL https://groups.google.com/u/1/g/golang-announce/c/MEb0UyuSMsU
URL https://groups.google.com/u/1/g/golang-announce/c/q5135a9d924
URL https://groups.google.com/u/1/g/golang-announce/c/X0b6CsSAaYI