Your submission was sent successfully! Close

CVE-2019-11840

Published: 09 May 2019

An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
golang-go.crypto
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 21.10 (Impish Indri) Not vulnerable
(1:0.0~git20200221.2aa609c-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1:0.0~git20200221.2aa609c-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:0.0~git20200221.2aa609c-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/golang/crypto/commit/b7391e95e576cacdcdd422573063bc057239113d
lxd
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Not vulnerable
(code-not-present)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-present)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-present)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

snapd
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Ignored

Ubuntu 21.04 (Hirsute Hippo) Ignored

Ubuntu 20.04 LTS (Focal Fossa) Ignored

Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
jdstrand
snapd contains an embedded copy of golang-go.crypto with the
affected code
snapd doesn't import/use the salsa code directly, but does vendor
golang-gopkg-macaroon.v1, which imports golang.org/x/crypto/nacl/secretbox
which does import salsa and contains the affected salsa2020XORKeyStream.
snapd uses secretbox.Open() and secretbox.Seal(), both of which use
salsa.XORKeyStream() (which wraps salsa2020XORKeyStream) via the internal
decrypt() and encrypt() functions, respectively. In macaroon.v1, encrypt() is
only used via AddThirdPartyCaveat() and decrypt() via Verify().
.
overlord/auth/auth.go in snapd uses Verify() in CheckMacaroon(),
daemon/api.go uses CheckMacaroon() in UserFromRequest(), which is called by
ServeHTTP(), the service used to process snap commands from the local system
to the local snapd. This CVE does not affect decrypt() operations.
.
AddThirdPartyCaveat() is only used in unit tests, but not in the binaries of
snapd builds.
.
For snapd, ignoring since only encryption operations (ie, secretbox.Seal())
are affected with regard to loss of confidentiality/predictability and this
function is only ever (ultimately) called via the snapd unit tests.
lxd contains an embedded copy of golang-go.crypto, but does not
import golang.org/x/crypto/nacl/secretbox or salsa. lxd in cosmic and later
does not contain the affected code.

References

Bugs