Bug 2132872 (CVE-2022-41715)
| Summary: | CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abishop, adudiak, agerstmayr, alakatos, amackenz, amasferr, amurdaca, ansmith, aoconnor, apevec, asm, ataylor, bbaude, bcl, bcoca, bdettelb, bkundu, bniver, bodavis, chazlett, davidn, dbenoit, debarshir, deparker, desktop-qa-list, dwalsh, dwd, dwhatley, dymurray, eduardo.ramalho, eglynn, emachado, epacific, fdeutsch, flucifre, gmeno, go-sig, gparvin, grafana-maint, ibolton, jaharrin, jburrell, jcajka, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpadman, jramanat, jross, jwendell, jwon, lball, lemenkov, lhh, lmadsen, lsm5, mabashia, matzew, maxwell, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mkudlej, mmagr, mnewsome, mrunge, mwringe, nathans, nboldt, njean, nobody, ocs-bugs, oramraz, osapryki, osbuilders, oskutka, pahickey, pehunt, periklis, pjindal, pthomas, rcernich, rhcos-sst, rhos-maint, rhuss, rkieley, rsroka, saroy, scorneli, sfowler, simaishi, sipoyare, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, tfister, tjochec, tstellar, tsweeney, twalsh, umohnani, vereddy, vkumar, vrothber, whayutin, yguenane, ytale, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.19.2, go 1.18.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-18 19:43:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2132874, 2132875, 2133915, 2133916, 2133917, 2133920, 2133922, 2133923, 2133924, 2133925, 2133926, 2133927, 2134347, 2134405, 2134406, 2134407, 2134441, 2134442, 2134443, 2134445, 2134446, 2134447, 2134448, 2134449, 2134450, 2134453, 2134454, 2134455, 2134456, 2134457, 2134467, 2134468, 2134471, 2134472, 2134473, 2134474, 2134475, 2134476, 2134477, 2134481, 2134482, 2134483, 2134484, 2134485, 2134486, 2134487, 2134488, 2134489, 2134490, 2134491, 2134492, 2134493, 2134494, 2134495, 2134496, 2134497, 2134498, 2134499, 2134500, 2134501, 2135724, 2135725, 2135726, 2135727, 2136717, 2136718, 2136719, 2136720, 2136721, 2136722, 2136723, 2136835, 2136839, 2136841, 2136843, 2136849, 2138892, 2138893, 2168805 | ||
| Bug Blocks: | 2132475 | ||
|
Description
Avinash Hanwate
2022-10-07 04:57:59 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2132874] Affects: fedora-all [bug 2132875] References: https://github.com/golang/go/issues/55949 Upstream Commits: Master : https://github.com/golang/go/commit/c3c4aea55b404c2e6ef109ec6a345f4ccb877381 branch.go1.18 : https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 branch.go1.19 : https://github.com/golang/go/commit/645abfe529dc325e16daa17210640c2907d1c17a This issue has been addressed in the following products: RHOL-5.5-RHEL-8 Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399 This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8 Via RHSA-2023:0631 https://access.redhat.com/errata/RHSA-2023:0631 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708 This issue has been addressed in the following products: RHOSS-1.27-RHEL-8 Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:1079 https://access.redhat.com/errata/RHSA-2023:1079 This issue has been addressed in the following products: OpenShift Custom Metrics Autoscaler 2 Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Red Hat OpenStack Platform 16.2 Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275 This issue has been addressed in the following products: STF-1.5-RHEL-8 Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2592 https://access.redhat.com/errata/RHSA-2023:2592 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2866 https://access.redhat.com/errata/RHSA-2023:2866 This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205 This issue has been addressed in the following products: OSSO-1.1-RHEL-8 Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41715 This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3664 https://access.redhat.com/errata/RHSA-2023:3664 This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613 This issue has been addressed in the following products: Service Interconnect 1 for RHEL 8 Service Interconnect 1 for RHEL 9 Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3254 https://access.redhat.com/errata/RHSA-2024:3254 |