Bug 2132867 (CVE-2022-2879)
| Summary: | CVE-2022-2879 golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, ailan, alcohan, amctagga, amurdaca, ansmith, aoconnor, asm, ataylor, bbaude, bcl, bcoca, bdettelb, bkundu, bniver, bodavis, brking, chazlett, danken, davidn, dbenoit, dcadzow, deparker, dfreiber, dhanak, doconnor, drow, dsimansk, dwalsh, dwd, dwhatley, dymurray, eduardo.ramalho, eglynn, emachado, epacific, fdeutsch, flucifre, gmeno, go-sig, gparvin, haoli, hkataria, ibolton, jajackso, jburrell, jcajka, jcammara, jcantril, jchui, jhardy, jjoyce, jligon, jmatthew, jmitchel, jmontleo, jneedle, jnovy, jobarker, jpadman, jramanat, jross, jschluet, jwendell, jwon, kegrant, kingland, koliveir, kshier, kverlaen, lball, lemenkov, lhh, lsm5, lsvaty, mabashia, matzew, maxwell, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mnewsome, mnovotny, mokumar, njean, ocs-bugs, omaciel, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, pbraun, peholase, pehunt, periklis, pgaikwad, pgrist, pierdipi, pjindal, pthomas, rcernich, relrod, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rkieley, rojacob, rrajasek, saroy, sfowler, shvarugh, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, stirabos, teagle, tfister, thason, thavo, tstellar, tsweeney, twalsh, umohnani, vereddy, virt-maint, vkumar, whayutin, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.19.2, go 1.18.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-09 05:24:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2138891, 2132878, 2132879, 2133915, 2133916, 2133917, 2133918, 2133919, 2133920, 2133922, 2133923, 2133924, 2134345, 2134405, 2134406, 2134407, 2134441, 2134442, 2134443, 2134445, 2134446, 2134447, 2134448, 2134449, 2134450, 2134453, 2134454, 2134455, 2134456, 2134457, 2134467, 2134468, 2136717, 2136718, 2136719, 2136720, 2136721, 2136722, 2136723, 2136835, 2136839, 2136841, 2136843, 2136849 | ||
| Bug Blocks: | 2132475 | ||
|
Description
Avinash Hanwate
2022-10-07 04:49:22 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2132878] Affects: fedora-all [bug 2132879] References: https://github.com/golang/go/issues/54853 Upstream Commits: Master : https://github.com/golang/go/commit/0bf7ee9977c0218562c50a0b0f0d9cbdf33f65e6 branch.go1.18 : https://github.com/golang/go/commit/0a723816cd205576945fa57fbdde7e6532d59d08 branch.go1.19 : https://github.com/golang/go/commit/4fa773cdefd20be093c84f731be7d4febf5536fa This issue has been addressed in the following products: RHOL-5.5-RHEL-8 Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399 This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708 This issue has been addressed in the following products: RHOSS-1.27-RHEL-8 Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:1079 https://access.redhat.com/errata/RHSA-2023:1079 This issue has been addressed in the following products: OpenShift Custom Metrics Autoscaler 2 Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2879 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780 This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205 This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613 This issue has been addressed in the following products: Service Interconnect 1 for RHEL 8 Service Interconnect 1 for RHEL 9 Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988 |