Bug 2107376 (CVE-2022-1962)

Summary: CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abishop, acui, adam.kaplan, admiller, adudiak, agarcial, agerstmayr, akashem, amackenz, amasferr, amctagga, amurdaca, anpicker, ansmith, aoconnor, aos-install, aos-network-edge-staff, aos-odin-bot, aos-team-ota, apjagtap, aputtur, asatyam, asm, athoscribeiro, bbaude, bbennett, bcoca, bdettelb, bkundu, blaise, bmontgom, bniver, bodavis, bradley.g.smith, bthurber, cdaley, chazlett, chousekn, cmeyers, container-sig, dagray, davide, davidn, dbenoit, debarshir, deparker, diagrawa, dkenigsb, dperaza, dwalsh, dwd, dwest, dwhatley, dymurray, eaguilar, ebakerupw, ebaron, eclipseo, eduardo.ramalho, eglynn, emachado, eparis, fdeutsch, filbranden, flucifre, ganandan, gblomqui, gmeno, go-sig, gparvin, grafana-maint, ibolton, ijolliff, infra-sig, jacding, jburrell, jcajka, jcammara, jcantril, jchaloup, jchui, jerzhang, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jkang, jkoehler, jligon, jmatthew, jmencak, jmontleo, jnovy, jobarker, joelsmith, jpadman, jpallich, jramanat, jschluet, jwendell, jwon, kaycoth, ktokunaga.mail, kwalker, lball, lbragsta, lemenkov, lgamliel, lhh, lmeyer, lsm5, lsvaty, mabashia, maciek.borzecki, marcandre.lureau, mattia.verga, matzew, maxwell, mbenjamin, mburns, mcressma, me, me, mfilanov, mfojtik, mgarciac, mgoodwin, mhackett, mheon, michel, mkudlej, mnewsome, mskalicky, mwringe, nathans, ngompa13, njean, nobody, notting, nparekh, nstielau, obudai, obulatov, ocp-storage-bot, ocs-bugs, o.lemasle, openshift-release-oversight, oramraz, osapryki, oskutka, owatkins, pahickey, patrick, pegoncal, peholase, pehunt, periklis, pgrist, pjindal, pknezevi, pkubat, ploffay, pthomas, quantum.analyst, rcernich, redhat, relrod, rfreiman, rh.container.bot, rhos-maint, rhuss, rjohnson, rpetrell, rphillips, ryncsn, sanchezl, santiago, saroy, scorneli, sdawley, sdoran, sejug, sfroberg, sgott, sipoyare, slaznick, slucidi, smcdonal, smullick, sostapov, spandura, spasquie, sponnaga, spower, sseago, stcannon, surbania, team-winc-bot, tfister, thrcka, tjochec, tkuratom, tsedovic, tstellar, tsweeney, twalsh, umohnani, vereddy, vkumar, wenshen, whayutin, xiyuan, xxia, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.18.4, golang 1.17.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 00:32:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115934, 2107377, 2109914, 2109915, 2109916, 2109917, 2110364, 2111001, 2111496, 2111746, 2111747, 2111758, 2111759, 2111760, 2111767, 2111796, 2111797, 2111798, 2111805, 2111806, 2111807, 2111808, 2111816, 2112009, 2112010, 2115932, 2115933, 2115935, 2115936, 2115937, 2115938, 2115939, 2115945, 2115946, 2115947, 2115948, 2115949, 2115950, 2115952, 2123509, 2123510, 2123514, 2123748, 2123750, 2123754, 2259902, 2259903, 2259904, 2259905    
Bug Blocks: 2106609    

Description Anten Skrabec 2022-07-14 20:40:00 UTC 
Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.
Comment 1 Anten Skrabec 2022-07-14 20:40:15 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107377]
Comment 6 Avinash Hanwate 2022-07-25 10:22:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110364]
Comment 18 errata-xmlrpc 2022-08-01 12:04:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 19 errata-xmlrpc 2022-08-01 16:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 20 errata-xmlrpc 2022-08-02 09:53:48 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 23 errata-xmlrpc 2022-08-10 11:37:45 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 24 errata-xmlrpc 2022-08-10 13:16:18 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 28 errata-xmlrpc 2022-08-18 15:10:58 UTC 
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113
Comment 29 errata-xmlrpc 2022-08-25 11:21:41 UTC 
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188
Comment 30 errata-xmlrpc 2022-08-31 18:49:22 UTC 
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283
Comment 31 errata-xmlrpc 2022-09-01 05:41:36 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 32 errata-xmlrpc 2022-09-06 12:58:48 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 33 errata-xmlrpc 2022-09-06 13:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 34 errata-xmlrpc 2022-09-06 13:43:18 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 35 errata-xmlrpc 2022-09-06 14:34:14 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 36 errata-xmlrpc 2022-09-06 22:29:52 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 37 errata-xmlrpc 2022-09-13 02:10:35 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430
Comment 45 errata-xmlrpc 2022-11-08 09:26:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 46 errata-xmlrpc 2022-11-08 09:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529
Comment 47 errata-xmlrpc 2022-11-15 10:07:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 50 errata-xmlrpc 2022-12-15 01:58:04 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 64 errata-xmlrpc 2023-01-24 12:49:25 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 65 errata-xmlrpc 2023-01-24 13:35:13 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 74 errata-xmlrpc 2023-03-06 18:39:42 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 77 errata-xmlrpc 2023-05-16 08:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 78 errata-xmlrpc 2023-05-16 08:13:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 80 Product Security DevOps Team 2023-05-17 00:31:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1962
Comment 88 errata-xmlrpc 2024-02-12 10:36:28 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
Comment 89 errata-xmlrpc 2024-02-28 18:13:45 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
Comment 90 errata-xmlrpc 2024-03-20 00:40:10 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-8
  MTA-7.0-RHEL-9

Via RHSA-2024:1433 https://access.redhat.com/errata/RHSA-2024:1433