CVE-2019-11840

Publication date 9 May 2019

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.9 · Medium

Score breakdown

An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Read the notes from the security team

Status

Package Ubuntu Release Status
golang-go.crypto 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic
Not affected
22.04 LTS jammy
Not affected
21.10 impish
Not affected
21.04 hirsute
Not affected
20.10 groovy
Not affected
20.04 LTS focal
Not affected
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.10 cosmic Ignored end of life
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty Not in release
lxd 21.10 impish
Not affected
21.04 hirsute
Not affected
20.10 groovy
Not affected
20.04 LTS focal
Not affected
19.10 eoan
Not affected
19.04 disco
Not affected
18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Not in release
snapd 24.10 oracular Ignored
24.04 LTS noble Ignored
23.10 mantic Ignored
23.04 lunar Ignored
22.10 kinetic Ignored
22.04 LTS jammy Ignored
21.10 impish Ignored
21.04 hirsute Ignored
20.10 groovy Ignored
20.04 LTS focal Ignored
19.10 eoan Ignored
19.04 disco Ignored
18.10 cosmic Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Not in release

Notes

jdstrand

snapd contains an embedded copy of golang-go.crypto with the affected code snapd doesn’t import/use the salsa code directly, but does vendor golang-gopkg-macaroon.v1, which imports golang.org/x/crypto/nacl/secretbox which does import salsa and contains the affected salsa2020XORKeyStream. snapd uses secretbox.Open() and secretbox.Seal(), both of which use salsa.XORKeyStream() (which wraps salsa2020XORKeyStream) via the internal decrypt() and encrypt() functions, respectively. In macaroon.v1, encrypt() is only used via AddThirdPartyCaveat() and decrypt() via Verify(). . overlord/auth/auth.go in snapd uses Verify() in CheckMacaroon(), daemon/api.go uses CheckMacaroon() in UserFromRequest(), which is called by ServeHTTP(), the service used to process snap commands from the local system to the local snapd. This CVE does not affect decrypt() operations. . AddThirdPartyCaveat() is only used in unit tests, but not in the binaries of snapd builds. . For snapd, ignoring since only encryption operations (ie, secretbox.Seal()) are affected with regard to loss of confidentiality/predictability and this function is only ever (ultimately) called via the snapd unit tests. lxd contains an embedded copy of golang-go.crypto, but does not import golang.org/x/crypto/nacl/secretbox or salsa. lxd in cosmic and later does not contain the affected code.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
golang-go.crypto

Severity score breakdown

Parameter Value
Base score 5.9 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N