Bug 1401985 (CVE-2017-1000098) - CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy
Summary: CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy
Status: NEW
Alias: CVE-2017-1000098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1401987 1401988 1405647 1405648
Blocks: 1401989
TreeView+ depends on / blocked
Reported: 2016-12-06 14:10 UTC by Adam Mariš
Modified: 2019-09-29 14:01 UTC (History)
44 users (show)

Fixed In Version: golang 1.6.4, golang 1.7.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-01-12 01:24:34 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-12-06 14:10:09 UTC
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

Upstream bug:


Upstream patch:


External Reference:


Comment 1 Adam Mariš 2016-12-06 14:11:07 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1401987]
Affects: epel-all [bug 1401988]

Note You need to log in before you can comment on or make changes to this bug.