UBUNTU-CVE-2017-8932

Source
https://ubuntu.com/security/CVE-2017-8932
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-8932.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2017-8932
Related
Published
2017-07-06T16:29:00Z
Modified
2024-10-15T14:06:20Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.

References

Affected packages

Ubuntu:Pro:16.04:LTS / golang-1.6

Package

Name
golang-1.6
Purl
pkg:deb/ubuntu/golang-1.6?arch=src?distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6-0ubuntu1
1.6-0ubuntu2
1.6-0ubuntu3
1.6-0ubuntu4
1.6-0ubuntu5
1.6.1-0ubuntu1
1.6.2-0ubuntu5~16.04
1.6.2-0ubuntu5~16.04.2
1.6.2-0ubuntu5~16.04.3
1.6.2-0ubuntu5~16.04.4

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:18.04:LTS / golang-1.8

Package

Name
golang-1.8
Purl
pkg:deb/ubuntu/golang-1.8?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.3-2ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8-doc"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8-go"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8-go-dbgsym"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8-go-shared-dev"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8-go-shared-dev-dbgsym"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "golang-1.8-src"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "libgolang-1.8-std1"
        },
        {
            "binary_version": "1.8.3-2ubuntu1",
            "binary_name": "libgolang-1.8-std1-dbgsym"
        }
    ]
}