Bug 2258165 (CVE-2023-49568)

Summary: CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agarcial, amctagga, aoconnor, asegurap, bradley.g.smith, btarraso, caswilli, dfreiber, dhanak, drow, dshah, dsimansk, eglynn, gparvin, jburrell, jjoyce, jkoehler, jschluet, kaycoth, kingland, kverlaen, lbainbri, lhh, lsvaty, matzew, mburns, mgarciac, mnovotny, njean, owatkins, pahickey, pgrist, pierdipi, rguimara, rhaigner, rhos-maint, rhuss, sdawley, shbose, sipoyare, tkral, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go-git 5.11 Doc Type: If docs needed, set a value
Doc Text:
A denial of service (DoS) vulnerability was found in the go library go-git. This issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which can trigger resource exhaustion in go-git clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2259799, 2259800, 2259730, 2259731, 2259732, 2259733, 2259734, 2259735, 2259736, 2259737, 2259738, 2259739, 2259740, 2259741, 2259742, 2259743, 2259744, 2259745, 2259746, 2259747, 2259801, 2259802, 2259803, 2259804, 2259805, 2259806, 2259807, 2259808, 2259809, 2259811, 2259813, 2259815, 2259817, 2259819, 2259821, 2259823    
Bug Blocks: 2258168    

Description Pedro Sampaio 2024-01-12 23:32:51 UTC 
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

References:

https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r
Comment 3 errata-xmlrpc 2024-01-18 16:37:34 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:0298 https://access.redhat.com/errata/RHSA-2024:0298
Comment 72 errata-xmlrpc 2024-02-07 16:41:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641
Comment 73 errata-xmlrpc 2024-02-07 17:36:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
Comment 74 errata-xmlrpc 2024-02-07 20:08:43 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2024:0729 https://access.redhat.com/errata/RHSA-2024:0729
Comment 79 errata-xmlrpc 2024-02-13 17:23:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0735 https://access.redhat.com/errata/RHSA-2024:0735
Comment 80 errata-xmlrpc 2024-02-14 05:51:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0740 https://access.redhat.com/errata/RHSA-2024:0740
Comment 81 errata-xmlrpc 2024-02-14 06:34:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741
Comment 82 errata-xmlrpc 2024-02-14 18:45:23 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2024:0820 https://access.redhat.com/errata/RHSA-2024:0820
Comment 83 errata-xmlrpc 2024-02-15 12:55:50 UTC 
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
Comment 85 Jeremy West 2024-02-16 17:31:18 UTC 
Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2259799]
Comment 86 Jeremy West 2024-02-16 19:43:56 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259801]
Comment 87 Jeremy West 2024-02-16 19:43:57 UTC 
Created pack tracking bugs for this issue:

Affects: epel-8 [bug 2259800]
Comment 88 Jeremy West 2024-02-16 19:44:00 UTC 
Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259802]
Comment 89 Jeremy West 2024-02-16 19:44:05 UTC 
Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259803]
Comment 90 Jeremy West 2024-02-16 19:44:09 UTC 
Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259807]
Comment 96 errata-xmlrpc 2024-02-20 11:03:36 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880
Comment 97 errata-xmlrpc 2024-02-21 00:30:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0832 https://access.redhat.com/errata/RHSA-2024:0832
Comment 98 errata-xmlrpc 2024-02-21 01:40:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0845 https://access.redhat.com/errata/RHSA-2024:0845
Comment 99 errata-xmlrpc 2024-02-21 01:44:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833
Comment 101 errata-xmlrpc 2024-02-26 16:07:58 UTC 
This issue has been addressed in the following products:

  multicluster-globalhub 1.0 for RHEL 8

Via RHSA-2024:0989 https://access.redhat.com/errata/RHSA-2024:0989
Comment 102 errata-xmlrpc 2024-02-27 19:47:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 105 errata-xmlrpc 2024-03-06 00:38:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1052 https://access.redhat.com/errata/RHSA-2024:1052
Comment 107 Jeremy West 2024-03-19 15:16:26 UTC 
Created pack tracking bugs for this issue:

Affects: fedora-39 [bug 2259823]
Comment 108 Jeremy West 2024-03-19 17:55:30 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-39 [bug 2259821]
Comment 109 Jeremy West 2024-03-19 17:55:35 UTC 
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-39 [bug 2259819]
Comment 110 Jeremy West 2024-03-19 18:03:20 UTC 
Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-39 [bug 2259817]
Comment 111 Jeremy West 2024-03-19 18:03:28 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-39 [bug 2259815]
Comment 112 Jeremy West 2024-03-19 18:22:55 UTC 
Created pack tracking bugs for this issue:

Affects: fedora-38 [bug 2259813]
Comment 113 Jeremy West 2024-03-19 18:23:02 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-38 [bug 2259811]
Comment 114 Jeremy West 2024-03-19 19:34:40 UTC 
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-38 [bug 2259809]
Comment 115 Jeremy West 2024-03-19 19:34:48 UTC 
Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259806]
Comment 116 Jeremy West 2024-03-19 19:34:50 UTC 
Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259804]
Comment 117 Jeremy West 2024-03-19 21:00:07 UTC 
Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-38 [bug 2259808]
Comment 118 Jeremy West 2024-03-19 21:00:14 UTC 
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259805]
Comment 119 Brad Smith 2024-03-19 21:55:56 UTC 
(In reply to Jeremy West from comment #118)
> Created cri-o:1.25/cri-o tracking bugs for this issue:
> 
> Affects: fedora-38 [bug 2259805]

cri-o 1.25 (and kubernetes 1.25) were in Fedora 37 which is end of life. Kubernetes 1.25 is also end of life. Propose cri-o 1.25 also be end of life
Comment 120 Brad Smith 2024-03-19 21:56:50 UTC 
(In reply to Jeremy West from comment #116)
> Created cri-o:1.24/cri-o tracking bugs for this issue:
> 
> Affects: fedora-38 [bug 2259804]

Should be end-of-life. Availble for fedora 36.
Comment 121 Brad Smith 2024-03-19 21:58:31 UTC 
(In reply to Jeremy West from comment #90)
> Created cri-o:1.27/cri-o tracking bugs for this issue:
> 
> Affects: fedora-38 [bug 2259807]

cri-o 1.27 is default cri-o for fedora 39.
Comment 122 errata-xmlrpc 2024-03-22 15:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.9

Via RHSA-2024:0691 https://access.redhat.com/errata/RHSA-2024:0691
Comment 123 errata-xmlrpc 2024-03-22 16:04:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:0692 https://access.redhat.com/errata/RHSA-2024:0692
Comment 124 errata-xmlrpc 2024-03-28 05:31:18 UTC 
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.0-RHEL-8

Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557
Comment 125 errata-xmlrpc 2024-03-28 20:50:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:1570 https://access.redhat.com/errata/RHSA-2024:1570
Comment 126 errata-xmlrpc 2024-04-25 15:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896
Comment 127 errata-xmlrpc 2024-04-25 15:50:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1887 https://access.redhat.com/errata/RHSA-2024:1887
Comment 128 errata-xmlrpc 2024-04-26 12:38:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891
Comment 129 errata-xmlrpc 2024-05-02 16:37:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047
Comment 131 errata-xmlrpc 2024-06-13 14:24:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 7.1

Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925
Comment 132 errata-xmlrpc 2024-06-18 23:31:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:3889 https://access.redhat.com/errata/RHSA-2024:3889
Comment 133 errata-xmlrpc 2024-06-26 02:06:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4010 https://access.redhat.com/errata/RHSA-2024:4010