Bug 2012887 (CVE-2021-38297)
| Summary: | CVE-2021-38297 golang: Command-line arguments may overwrite global data | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abishop, admiller, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, aos-install, asm, bdettelb, bmontgom, bniver, bodavis, carl, caswilli, cbyrne, cnv-qe-bugs, crarobin, dbecker, dbenoit, dholler, dwalsh, dwhatley, dymurray, emachado, eparis, erooth, etamir, fdeutsch, fdupont, fjansen, flucifre, gmeno, godas, go-sig, hchiramm, hhorak, hvyas, ibolton, jakob, jarrpa, jburrell, jcajka, jhadvig, jjoyce, jmadigan, jmatthew, jmontleo, jmulligan, jnovy, joelsmith, jorton, jpadman, jschluet, jwendell, jwong, jwon, kaycoth, krathod, lball, lemenkov, lhh, lhinds, lmadsen, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mnewsome, mrunge, mwringe, nalin, nbecker, ngough, nstielau, ocs-bugs, opohorel, osoukup, phoracek, ploffay, pthomas, puebele, quantum.analyst, rcernich, rfreiman, rhs-bugs, rhuss, rrajasek, rtalur, sabose, sclewis, sfowler, sgott, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, tnielsen, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, vkumar, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.17.2, go 1.16.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-11 18:45:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2014921, 2013628, 2014920, 2014922, 2014923, 2015107, 2015108, 2015109, 2015198, 2015199, 2118476, 2118477, 2118478, 2118479, 2118480, 2118481 | ||
| Bug Blocks: | 2012888 | ||
|
Description
Pedro Sampaio
2021-10-11 14:23:01 UTC
Patches: 1.16 branch: https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564 1.17 branch: https://github.com/golang/go/commit/4925e0766f8a92ab82913b3564228645613290f5 Upstream bug: https://github.com/golang/go/issues/48797 Created golang tracking bugs for this issue: Affects: epel-all [bug 2014920] Affects: fedora-all [bug 2014923] Affects: openstack-rdo [bug 2014921] This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2022:0432 https://access.redhat.com/errata/RHSA-2022:0432 This issue has been addressed in the following products: Openshift Serveless 1.20 Via RHSA-2022:0434 https://access.redhat.com/errata/RHSA-2022:0434 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-38297 Created git-lfs tracking bugs for this issue: Affects: epel-7 [bug 2118476] Affects: fedora-35 [bug 2118477] Affects: fedora-36 [bug 2118478] |