Bug 2107392 (CVE-2022-30633)
Summary: | CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acui, adam.kaplan, adudiak, agarcial, agerstmayr, akashem, akoutsou, amackenz, amasferr, amurdaca, andrew.jeddeloh, anpicker, ansmith, aoconnor, aos-network-edge-staff, aos-odin-bot, aputtur, asm, athoscribeiro, bbaude, bbennett, bcoca, bdettelb, bgilbert, bkundu, blaise, bmontgom, bniver, bodavis, bperkins, bradley.g.smith, bthurber, cdaley, chazlett, chousekn, cmeyers, code, container-sig, dagray, dahernan, davide, davidn, dbenoit, debarshir, deparker, dornelas, dperaza, dustymabe, dwalsh, dwd, dwest, dwhatley, dymurray, ebakerupw, eduardo.ramalho, eglynn, emachado, eparis, fdeutsch, filbranden, flucifre, gblomqui, gmeno, go-sig, gparvin, grafana-maint, ibolton, ijolliff, jacding, jaharrin, jburrell, jcajka, jcammara, jchaloup, jchui, jeder, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jligon, jmatthew, jmencak, jmontleo, jnovy, jobarker, jonathan, jpadman, jramanat, jwendell, jwon, lball, lbragsta, lemenkov, lhh, lmeyer, lsm5, mabashia, maciek.borzecki, mark.e.fuller, matzew, maxwell, mbenjamin, mburns, mcressma, me, me, mfojtik, mgarciac, mgoodwin, mhackett, mheon, miabbott, michel, mkudlej, mnewsome, mrussell, mwringe, nathans, ngompa13, njean, nobody, notting, nparekh, nstielau, obudai, obulatov, ocp-storage-bot, ocs-bugs, o.lemasle, openshift-release-oversight, osapryki, osbuilders, oskutka, pahickey, patrick, pegoncal, pehunt, pjindal, pknezevi, ploffay, pthomas, quantum.analyst, rcernich, redhat, relrod, rh.container.bot, rhcos-sst, rhcos-triage, rhos-maint, rhuss, rpetrell, rphillips, ryncsn, sanchezl, santiago, saroy, scorneli, sdoran, sejug, sgott, sipoyare, skunkerk, slaznick, slucidi, smcdonal, sostapov, spandura, spasquie, sponnaga, spower, spresti, sseago, ssteinbe, stcannon, surbania, team-winc-bot, tfister, tgunders, tjochec, tkuratom, travier, tsedovic, tstellar, tsweeney, twalsh, umohnani, user-cont-team+packit-fas, vereddy, vkumar, walters, wenshen, whayutin, xiyuan, xxia, yanqiyu01, zdohnal, zebob.m |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | golang 1.18.4, golang 1.17.12 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-17 00:38:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2115482, 2107393, 2109914, 2109915, 2109916, 2109917, 2110330, 2111001, 2111496, 2111746, 2111747, 2111758, 2111759, 2111760, 2111765, 2111766, 2111767, 2111786, 2112009, 2112010, 2115483, 2115484, 2115485, 2115486, 2115487, 2115488, 2115489, 2115490, 2115491, 2115492, 2115493, 2115494, 2115498, 2115499, 2123509, 2123510, 2123514, 2123748, 2123750, 2123754 | ||
Bug Blocks: | 2108717 |
Description
Anten Skrabec
2022-07-14 21:42:36 UTC
Created golang tracking bugs for this issue: Affects: fedora-all [bug 2107393] Created golang tracking bugs for this issue: Affects: epel-all [bug 2110330] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042 This issue has been addressed in the following products: Openshift Serveless 1.24 Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040 This issue has been addressed in the following products: Application Interconnect 1 for RHEL 8 Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113 This issue has been addressed in the following products: Node Maintenance Operator 4.11 for RHEL 8 Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188 This issue has been addressed in the following products: OSSM-2.2-RHEL-8 Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283 This issue has been addressed in the following products: OSSO-1.1-RHEL-8 Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.1 for RHEL 8 Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047 This issue has been addressed in the following products: RHEL-8-CNV-4.12 RHEL-7-CNV-4.12 Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407 This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408 This issue has been addressed in the following products: OpenShift Custom Metrics Autoscaler 2 Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-30633 This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642 |