Bug 2268021 (CVE-2024-24784)
| Summary: | CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alcohan, amctagga, anjoseph, ansmith, aoconnor, asatyam, bdettelb, bniver, chazlett, Dan682Lee, dfreiber, dhanak, diagrawa, dkenigsb, doconnor, dperaza, drosa, drow, dsimansk, dymurray, eglynn, fdeutsch, flucifre, gmeno, gparvin, groman, ibolton, jbalunas, jburrell, jcantril, jchui, jjoyce, jmatthew, jmontleo, joelsmith, jprabhak, jschluet, kingland, kverlaen, lbainbri, lchilton, lhh, lsvaty, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mrajanna, mwringe, njean, odf-bz-bot, oramraz, owatkins, pahickey, peholase, pgaikwad, pgrist, pierdipi, pjindal, rguimara, rhaigner, rhuss, rjohnson, rojacob, sabiswas, sakbas, saroy, sausingh, sdawley, sfeifer, shbose, sidakwo, sipoyare, slucidi, smullick, sostapov, sseago, stirabos, teagle, thason, vereddy, vkumar, whayutin, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.21.8, go 1.22.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Go's net/mail standard library package. The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions made by programs using different parsers.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2268250, 2268251, 2276465, 2276466, 2276467, 2276468, 2276469, 2276470, 2276471, 2276472, 2276473, 2276474, 2292182, 2292183, 2349673 | ||
| Bug Blocks: | 2268016 | ||
|
Description
Robb Gatica
2024-03-06 02:06:29 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2268251] Affects: fedora-all [bug 2268250] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3259 https://access.redhat.com/errata/RHSA-2024:3259 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 3.2 Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621 This issue has been addressed in the following products: OADP-1.3-RHEL-9 Via RHSA-2024:3790 https://access.redhat.com/errata/RHSA-2024:3790 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2024:4023 https://access.redhat.com/errata/RHSA-2024:4023 This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045 This issue has been addressed in the following products: RODOO-1.1-RHEL-9 Via RHSA-2024:1616 https://access.redhat.com/errata/RHSA-2024:1616 This issue has been addressed in the following products: OSSO-1.3-RHEL-9 Via RHSA-2024:3637 https://access.redhat.com/errata/RHSA-2024:3637 This issue has been addressed in the following products: KDO-5.0-RHEL-9 Via RHSA-2024:3617 https://access.redhat.com/errata/RHSA-2024:3617 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969 This issue has been addressed in the following products: Red Hat OpenStack Services on OpenShift PODIFIED 1.0 Via RHSA-2024:9485 https://access.redhat.com/errata/RHSA-2024:9485 This issue has been addressed in the following products: Red Hat Ceph Storage 8.1 Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775 The issue with ParseAddressList is that it mishandles comments (text in parentheses) inside display names, which makes its behavior diverge from conforming address parsers. This inconsistency can be problematic because different programs may interpret the same address string differently, leading to mismatched trust decisions or security checks. In practice, it means one parser might accept or trust an address while another rejects or flags it, creating potential vulnerabilities or confusion in systems that rely on consistent parsing. https://www.greensky-online.com |