CVE-2021-41771
Publication date 8 November 2021
Last updated 24 July 2024
Ubuntu priority
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-1.11 | 16.04 LTS xenial | Ignored |
| 14.04 LTS trusty | Ignored | |
| golang-1.15 | ||
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.16 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.17 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| golang-1.7 | 16.04 LTS xenial | Ignored |
| 14.04 LTS trusty | Ignored | |
| golang-1.8 | 18.04 LTS bionic |
Needs evaluation
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Notes
alexmurray
No other packages in the Ubuntu archive appear to call File.ImportedSymbols() at all let alone on arbitrary input files so setting the priority of this CVE to low.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Other references
- https://github.com/golang/go/issues/48990
- https://groups.google.com/g/golang-announce/c/0fM21h43arc
- https://github.com/golang/go/commit/4a842985bf3f71d93a2b1340d9d6685bebc12b6b (go1.17.3)
- https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede (go1.16.10)
- https://www.cve.org/CVERecord?id=CVE-2021-41771