Bug 1401985 – CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1401985 - (CVE-2017-1000098) CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy

Summary:	CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy

Status:	NEW

Aliases:	CVE-2017-1000098

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161201,repor...
Keywords:	Reopened, Security

Depends On:	1401987 1401988 1405647 1405648
Blocks:	1401989
	Show dependency tree / graph

Reported:	2016-12-06 09:10 EST by Adam Mariš
Modified:	2018-08-03 02:55 EDT (History)
CC List:	46 users (show)

See Also:
Fixed In Version:	golang 1.6.4, golang 1.7.4
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-01-11 20:24:34 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2016-12-06 09:10:09 EST

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

Upstream bug:

https://github.com/golang/go/issues/17965

Upstream patch:

https://go-review.googlesource.com/#/c/30410/

External Reference:

https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ

Comment 1 Adam Mariš 2016-12-06 09:11:07 EST

Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1401987]
Affects: epel-all [bug 1401988]

Comment 6 Tomas Hoger 2018-08-01 03:52:38 EDT

Upstream commit:

https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
https://github.com/golang/go/commit/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184

Upstream bug with more details:

https://github.com/golang/go/issues/16296

Note You need to log in before you can comment on or make changes to this bug.

admiller
ahardin
amurdaca
aortega
apevec
ayoung
bleanhar
ccoleman
chrisw
cvsbot-xmlrpc
dedgar
deparker
dmcphers
golang-updates
jcajka
jgoulding
jialiu
jkeck
joelsmith
jokerman
jschluet
kbasil
kseifried
lemenkov
lhh
lmeyer
lpeer
markmc
mchappel
mmccomas
rbryant
renich
rhs-bugs
sclewis
sgirijan
sisharma
slong
smohan
srevivo
ssaha
s
storage-qa-internal
tdawson
tdecacqu
vbatts
vbellur