Your submission was sent successfully! Close

CVE-2019-11840

Published: 9 May 2019

An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Notes

AuthorNote
jdstrand
snapd contains an embedded copy of golang-go.crypto with the
affected code
snapd doesn't import/use the salsa code directly, but does vendor
golang-gopkg-macaroon.v1, which imports golang.org/x/crypto/nacl/secretbox
which does import salsa and contains the affected salsa2020XORKeyStream.
snapd uses secretbox.Open() and secretbox.Seal(), both of which use
salsa.XORKeyStream() (which wraps salsa2020XORKeyStream) via the internal
decrypt() and encrypt() functions, respectively. In macaroon.v1, encrypt() is
only used via AddThirdPartyCaveat() and decrypt() via Verify().
.
overlord/auth/auth.go in snapd uses Verify() in CheckMacaroon(),
daemon/api.go uses CheckMacaroon() in UserFromRequest(), which is called by
ServeHTTP(), the service used to process snap commands from the local system
to the local snapd. This CVE does not affect decrypt() operations.
.
AddThirdPartyCaveat() is only used in unit tests, but not in the binaries of
snapd builds.
.
For snapd, ignoring since only encryption operations (ie, secretbox.Seal())
are affected with regard to loss of confidentiality/predictability and this
function is only ever (ultimately) called via the snapd unit tests.
lxd contains an embedded copy of golang-go.crypto, but does not
import golang.org/x/crypto/nacl/secretbox or salsa. lxd in cosmic and later
does not contain the affected code.
Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
golang-go.crypto
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(1:0.0~git20200221.2aa609c-1)
groovy Not vulnerable
(1:0.0~git20200221.2aa609c-1)
hirsute Not vulnerable
(1:0.0~git20200221.2aa609c-1)
impish Not vulnerable
(1:0.0~git20200221.2aa609c-1)
jammy Not vulnerable
(1:0.0~git20200221.2aa609c-1)
precise Does not exist

trusty Does not exist

upstream Not vulnerable

xenial Needed

Patches:
upstream: https://github.com/golang/crypto/commit/b7391e95e576cacdcdd422573063bc057239113d
lxd
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
cosmic Not vulnerable
(code-not-present)
disco Not vulnerable
(code-not-present)
eoan Not vulnerable
(code-not-present)
focal Not vulnerable
(code-not-present)
groovy Not vulnerable
(code-not-present)
hirsute Not vulnerable
(code-not-present)
impish Not vulnerable
(code-not-present)
precise Does not exist

trusty Does not exist

upstream Needed

xenial Not vulnerable
(code-not-compiled)
snapd
Launchpad, Ubuntu, Debian
bionic Ignored

cosmic Ignored

disco Ignored

eoan Ignored

focal Ignored

groovy Ignored

hirsute Ignored

impish Ignored

jammy Ignored

precise Does not exist

trusty Does not exist

upstream Needed

xenial Ignored