Bug 2053541 (CVE-2022-23773)

Summary: CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, akashem, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, apevec, asm, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, crarobin, dbecker, dbenoit, dholler, dornelas, dwalsh, dwd, dwhatley, dymurray, eglynn, emachado, eparis, erooth, etamir, fdeutsch, fjansen, flucifre, gmeno, hchiramm, hvyas, ibolton, jaharrin, jakob, jarrpa, jburrell, jcajka, jeder, jjoyce, jligon, jmadigan, jmatthew, jmontleo, jmulligan, joelsmith, jokerman, jortel, jpadman, jschluet, jwendell, jwong, jwon, kaycoth, krathod, lball, lemenkov, lhh, lhinds, lmadsen, lmeyer, lpeer, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mkleinhe, mmagr, mnewsome, mrunge, mrussell, mthoemme, mwringe, nbecker, ngough, nobody, nstielau, ocs-bugs, pamccart, ploffay, rcernich, rfreiman, rhcos-triage, rhos-maint, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sclewis, sgott, sipoyare, slinaber, slucidi, sostapov, spasquie, sponnaga, spower, sseago, stirabos, sttts, tcarlin, tkasparek, tnielsen, tstellar, tsweeney, twalsh, vereddy, vkumar, xxia, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.17.7, go 1.16.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 16:46:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2054846, 2073717, 2073718, 2053542, 2053543, 2053544, 2054242, 2054245, 2054842, 2054844, 2054845, 2056095, 2056098, 2056102, 2067531, 2068662, 2068663, 2068664, 2068670, 2068671, 2068673, 2068803, 2068827, 2068828, 2068829, 2068836, 2080392, 2080393, 2080394, 2080395, 2080396, 2080397, 2080398, 2080399, 2080400, 2080401, 2080402, 2080403, 2080404, 2168805    
Bug Blocks: 2053545    

Description Guilherme de Almeida Suckevicz 2022-02-11 13:39:20 UTC 
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Reference:
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
Comment 1 Guilherme de Almeida Suckevicz 2022-02-11 13:40:43 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2053542]
Affects: fedora-all [bug 2053544]
Affects: openstack-rdo [bug 2053543]
Comment 14 errata-xmlrpc 2022-05-10 13:39:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819
Comment 15 Product Security DevOps Team 2022-05-11 16:45:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23773
Comment 16 errata-xmlrpc 2022-06-01 11:46:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:4860 https://access.redhat.com/errata/RHSA-2022:4860
Comment 17 errata-xmlrpc 2022-06-01 13:59:32 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.22

Via RHSA-2022:4863 https://access.redhat.com/errata/RHSA-2022:4863
Comment 18 errata-xmlrpc 2022-06-13 12:33:32 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5004 https://access.redhat.com/errata/RHSA-2022:5004
Comment 19 errata-xmlrpc 2022-08-09 02:35:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5875 https://access.redhat.com/errata/RHSA-2022:5875
Comment 20 errata-xmlrpc 2022-08-10 10:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068
Comment 23 errata-xmlrpc 2022-08-23 18:11:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6094 https://access.redhat.com/errata/RHSA-2022:6094
Comment 24 errata-xmlrpc 2022-08-24 13:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 25 errata-xmlrpc 2022-09-14 19:27:45 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526
Comment 26 errata-xmlrpc 2023-01-24 13:34:34 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 27 errata-xmlrpc 2023-03-30 00:42:42 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529