0

We have (server environment) go vulnerability on some instances. And source for this vulnerability look like snapd . Do you have any solution for it ?

/snap/snapd/16292/usr/lib/snapd/snapd

go1.13.8 current version / should be 1.17.2 or 1.16.9

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

Thank you.Regards

Zek
  • 9
  • 2
  • It is unclear what system you are using and why you didn't update snap. – Pilot6 Aug 16 '22 at 12:37
  • 1
    Does this answer your question? [How can I tell if a CVE has been fixed in Ubuntu's repositories?](https://askubuntu.com/questions/563408/how-can-i-tell-if-a-cve-has-been-fixed-in-ubuntus-repositories) – muru Aug 16 '22 at 15:27
  • @muru It is different because it is about a snap package. – Pilot6 Aug 17 '22 at 14:19
  • @Pilot6 I don't think it makes a difference in this case. The vulnerability exists for a particular build configuration, which is not used on Ubuntu snap or no snap. (Even snap runtimes are based on Ubuntu) – muru Aug 17 '22 at 14:25
  • @muru thank you for the explanation. Exactly snapd is look like up to date. snap refresh All snaps up to date. – Zek Aug 18 '22 at 08:03

1 Answers1

3

The current go version in Ubuntu snap is 1.18.5.

It is unclear who "we" have the 1.13.8 version.

pilot6@Pilot6:~$ snap info go
name:      go
summary:   Go programming language compiler, linker, stdlib
publisher: Michael Hudson-Doyle (mwhudson)
store-url: https://snapcraft.io/go
contact:   michael.hudson@ubuntu.com
license:   BSD-3-Clause
description: |
  This snap provides an assembler, compiler, linker, and compiled libraries
  for the Go programming language.
snap-id: Md1HBASHzP4i0bniScAjXGnOII9cEK6e
channels:
  latest/stable:    1.18.5           2022-08-11 (9952) 104MB classic
Pilot6
  • 88,764
  • 91
  • 205
  • 313
  • snapd have a go version 13.8. – Zek Aug 16 '22 at 12:39
  • So run `snap refresh` – Pilot6 Aug 16 '22 at 12:41
  • name: go summary: Go programming language compiler, linker, stdlib publisher: Michael Hudson-Doyle (mwhudson) store-url: https://snapcraft.io/go contact: michael.hudson@ubuntu.com license: BSD-3-Clause description: | This snap provides an assembler, compiler, linker, and compiled libraries for the Go programming language. // no go from ubuntu server go it is coming with snapd service – Zek Aug 16 '22 at 14:13