Bug 2107376 (CVE-2022-1962) - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
Summary: CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1962
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2115934 2259903 2107377 2109914 2109915 2109916 2109917 2110364 2111001 2111496 2111746 2111747 2111758 2111759 2111760 2111767 2111796 2111797 2111798 2111805 2111806 2111807 2111808 2111816 2112009 2112010 2115932 2115933 2115935 2115936 2115937 2115938 2115939 2115945 2115946 2115947 2115948 2115949 2115950 2115952 2123509 2123510 2123514 2123748 2123750 2123754 2259902 2259904 2259905
Blocks: 2106609
TreeView+ depends on / blocked
 
Reported: 2022-07-14 20:40 UTC by Anten Skrabec
Modified: 2024-03-20 00:40 UTC (History)
216 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.
Clone Of:
Environment:
Last Closed: 2023-05-17 00:32:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 15:59:46 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:36:15 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:04:36 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:04:28 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:53:55 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:16:27 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:37:55 UTC
Red Hat Product Errata RHSA-2022:6113 0 None None None 2022-08-18 15:11:07 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:41:48 UTC
Red Hat Product Errata RHSA-2022:6188 0 None None None 2022-08-25 11:21:51 UTC
Red Hat Product Errata RHSA-2022:6283 0 None None None 2022-08-31 18:49:31 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:34:25 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:03:03 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:58:59 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:43:28 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:30:01 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:45 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:26:29 UTC
Red Hat Product Errata RHSA-2022:7529 0 None None None 2022-11-08 09:29:20 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:07:12 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:58:09 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:32 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:35:24 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:39:48 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:08:59 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:13:43 UTC
Red Hat Product Errata RHSA-2024:0778 0 None None None 2024-02-12 10:36:40 UTC
Red Hat Product Errata RHSA-2024:1027 0 None None None 2024-02-28 18:13:56 UTC
Red Hat Product Errata RHSA-2024:1433 0 None None None 2024-03-20 00:40:18 UTC

Description Anten Skrabec 2022-07-14 20:40:00 UTC 
Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.
Comment 1 Anten Skrabec 2022-07-14 20:40:15 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107377]
Comment 6 Avinash Hanwate 2022-07-25 10:22:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110364]
Comment 18 errata-xmlrpc 2022-08-01 12:04:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 19 errata-xmlrpc 2022-08-01 16:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 20 errata-xmlrpc 2022-08-02 09:53:48 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 23 errata-xmlrpc 2022-08-10 11:37:45 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 24 errata-xmlrpc 2022-08-10 13:16:18 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 28 errata-xmlrpc 2022-08-18 15:10:58 UTC 
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113
Comment 29 errata-xmlrpc 2022-08-25 11:21:41 UTC 
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188
Comment 30 errata-xmlrpc 2022-08-31 18:49:22 UTC 
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283
Comment 31 errata-xmlrpc 2022-09-01 05:41:36 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 32 errata-xmlrpc 2022-09-06 12:58:48 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 33 errata-xmlrpc 2022-09-06 13:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 34 errata-xmlrpc 2022-09-06 13:43:18 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 35 errata-xmlrpc 2022-09-06 14:34:14 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 36 errata-xmlrpc 2022-09-06 22:29:52 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 37 errata-xmlrpc 2022-09-13 02:10:35 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430
Comment 45 errata-xmlrpc 2022-11-08 09:26:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 46 errata-xmlrpc 2022-11-08 09:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529
Comment 47 errata-xmlrpc 2022-11-15 10:07:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 50 errata-xmlrpc 2022-12-15 01:58:04 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 64 errata-xmlrpc 2023-01-24 12:49:25 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 65 errata-xmlrpc 2023-01-24 13:35:13 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 74 errata-xmlrpc 2023-03-06 18:39:42 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 77 errata-xmlrpc 2023-05-16 08:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 78 errata-xmlrpc 2023-05-16 08:13:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 80 Product Security DevOps Team 2023-05-17 00:31:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1962
Comment 88 errata-xmlrpc 2024-02-12 10:36:28 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
Comment 89 errata-xmlrpc 2024-02-28 18:13:45 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
Comment 90 errata-xmlrpc 2024-03-20 00:40:10 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-8
  MTA-7.0-RHEL-9

Via RHSA-2024:1433 https://access.redhat.com/errata/RHSA-2024:1433
Note You need to log in before you can comment on or make changes to this bug.