Bug 1867099 (CVE-2020-16845)
| Summary: | CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abonas, admiller, alegrand, alitke, amurdaca, anpicker, aos-bugs, aos-storage-staff, asm, bbennett, bbreard, bbrownin, bmontgom, bodavis, cnv-qe-bugs, deparker, dustymabe, dwalsh, emachado, eparis, erooth, fdeutsch, fweimer, gbrown, hchiramm, hvyas, imcleod, jakub, jburrell, jcajka, jcosta, jesusr, jligon, jmulligan, jokerman, jpadman, jwon, kakkoyun, kconner, krathod, law, lcosic, lemenkov, madam, markito, mcooper, miabbott, mloibl, mnewsome, mpatel, mpolacek, nstielau, ohudlick, oyahud, phoracek, pkrupa, puebele, rcernich, renich, rhs-bugs, rphillips, rrajasek, rtalur, sfowler, sgott, shurley, sponnaga, stirabos, storage-qa-internal, surbania, swshanka, tschelle, tstellar, tsweeney, vbatts, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Go 1.14.7, Go 1.13.15, Go 1.15rc2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-08 13:19:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1859441, 1859442, 1865875, 1866622, 1866623, 1866624, 1866625, 1866626, 1866627, 1866628, 1866629, 1866630, 1866631, 1866632, 1866633, 1866634, 1866635, 1866636, 1866637, 1866638, 1866639, 1866640, 1866641, 1866642, 1866643, 1866644, 1866645, 1866646, 1866647, 1866648, 1866649, 1866650, 1866651, 1866652, 1866653, 1866654, 1866655, 1866656, 1866657, 1866658, 1866660, 1866661, 1866662, 1866663, 1866664, 1866665, 1866666, 1866667, 1866668, 1866669, 1866670, 1866671, 1866672, 1866673, 1866674, 1866675, 1866676, 1866945, 1866946, 1867100, 1867101, 1867484, 1867485, 1867487, 1867522, 1867531, 1867532, 1867537, 1867540, 1867541, 1867542, 1867543, 1867557, 1869544, 1869545, 1869546, 1873281, 1873282, 1873283, 1873284, 1873285, 1874893, 1875477, 1878636, 1881579, 1883099, 1883100, 1883101, 1883102, 1883103, 1883104, 1883105, 1883106, 1883107, 1883108, 1883109, 1883110, 1883111, 1883112, 1883113, 1883114, 1883115, 1883116, 1883117, 1883118, 1883119, 1883120, 1883121, 1883122, 1883123, 1883124, 1883125, 1883126, 1883127, 1883128, 1883129, 1883130, 1932964, 1932969, 1933013, 1933040, 1933080, 1941198, 1941520, 1941530, 1941540, 1941550, 1941585 | ||
| Bug Blocks: | 1867102 | ||
|
Description
Michael Kaplan
2020-08-07 11:18:07 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1867100] Affects: fedora-all [bug 1867101] External References: https://groups.google.com/g/golang-announce/c/NyPIaucMgXo golang-github-ulikunitz-xz is also affected and fix is included in 0.5.8. FEDORA-2020-e384830a0d has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-deff052e7a has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low. Red Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4) components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-16845 This issue has been addressed in the following products: RHEL-8-CNV-2.4 RHEL-7-CNV-2.4 Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5119 https://access.redhat.com/errata/RHSA-2020:5119 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5118 https://access.redhat.com/errata/RHSA-2020:5118 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:5159 https://access.redhat.com/errata/RHSA-2020:5159 This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5606 https://access.redhat.com/errata/RHSA-2020:5606 This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:5649 https://access.redhat.com/errata/RHSA-2020:5649 This issue has been addressed in the following products: OpenShift Serverless 1.9.0 Via RHSA-2021:0072 https://access.redhat.com/errata/RHSA-2021:0072 Used fixcvenames for http://127.0.0.1:5600/static/#/tracker/jboss/TRACING-1415 It seems the new golang-builder that was released in Nov 2020 actually fixed this: penshift-golang-builder-container-v1.14.0-202011132014.el7 It's misleading and is actually 1.14.9-2 This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0713 https://access.redhat.com/errata/RHSA-2021:0713 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0956 https://access.redhat.com/errata/RHSA-2021:0956 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:1016 https://access.redhat.com/errata/RHSA-2021:1016 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122 This issue has been addressed in the following products: RHEL-7-CNV-4.9 RHEL-8-CNV-4.9 Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103 |