CVE-2015-8618
Published: January 27, 2016Last modified: November 10, 2023
Description
The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | NONE |
| Availability impact | NONE |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | go | Not affected (1.19.9-r1) |
| Stream | go | Not affected (1.21.0-r2) |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175642.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176179.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html
- http://www.openwall.com/lists/oss-security/2015/12/21/6
- http://www.openwall.com/lists/oss-security/2015/12/22/9
- http://www.openwall.com/lists/oss-security/2016/01/13/7
- https://github.com/golang/go/issues/13515
- https://go-review.googlesource.com/#/c/17672/
- https://groups.google.com/forum/#%21topic/golang-announce/MEATuOi_ei4