Bug 1633022 – CVE-2018-17142 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1633022 - (CVE-2018-17142) CVE-2018-17142 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html

Summary:	CVE-2018-17142 golang-org-x-net-html: Runtime panic in html.Parse() via craft...

Status:	NEW

Aliases:	CVE-2018-17142

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180926,repor...
Keywords:	Security

Depends On:	1633023 1633024 1633025 CVE-2018-17143 CVE-2018-17075 1639104 1639105 1633026
Blocks:	1633033
	Show dependency tree / graph

Reported:	2018-09-26 01:34 EDT by Sam Fowler
Modified:	2018-10-19 02:19 EDT (History)
CC List:	46 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-09-26 01:34:54 EDT

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.


Upstream Issue:

https://github.com/golang/go/issues/27702

Comment 1 Sam Fowler 2018-09-26 01:36:41 EDT

Created heketi tracking bugs for this issue:

Affects: epel-6 [bug 1633026]
Affects: fedora-all [bug 1633025]


Created kompose tracking bugs for this issue:

Affects: fedora-all [bug 1633024]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1633023]

Comment 2 Siddharth Sharma 2018-10-11 06:43:27 EDT

upstream fix:

https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0

Comment 3 Sam Fowler 2018-10-15 01:40:31 EDT

Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-6 [bug 1639105]
Affects: fedora-all [bug 1639104]

Comment 4 Scott Gayou 2018-10-16 17:02:29 EDT

Version packaged by RHEL (around 2014) does not seem to include the template functionality. Vulnerable behavior looks to have been introduced here, in 2017: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622

Reproducer does not trigger an exception.

Comment 5 Summer Long 2018-10-19 02:19:09 EDT

OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools golang-googecode-net 9 does have the code, but this version does not support templates (which is needed for flaw exploitation).

Note You need to log in before you can comment on or make changes to this bug.

admiller
ahardin
apevec
bleanhar
ccoleman
chrisw
dedgar
dustymabe
eparis
extras-orphan
fpokorny
hchiramm
jcajka
jchaloup
jgoulding
jjoyce
jmulligan
jokerman
jrivera
jschluet
kbasil
kramdoss
kumarpraveen.nitdgp
lhh
lpabon
lpeer
madam
markmc
mburns
mchappel
mmagr
ramkrsna
rbryant
rhs-bugs
sankarshan
sclewis
sisharma
slinaber
smohan
ssaha
storage-qa-internal
tdawson
tdecacqu
thrcka
vbatts
vbellur