Bug 1633036 – CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1633036 - (CVE-2018-17143) CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html

Summary:	CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via craft...

Status:	NEW

Aliases:	CVE-2018-17143

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180926,repor...
Keywords:	Security

Depends On:	1633037 1633038 1633039 1638190 1639102 1639103 1633040
Blocks:	CVE-2018-17142 1633033
	Show dependency tree / graph

Reported:	2018-09-26 02:11 EDT by Sam Fowler
Modified:	2018-10-19 02:19 EDT (History)
CC List:	46 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-09-26 02:11:15 EDT

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.


Upstream Issue:

https://github.com/golang/go/issues/27704


Upstream Patch:

https://go-review.googlesource.com/c/net/+/136575

Comment 1 Sam Fowler 2018-09-26 02:12:18 EDT

Created heketi tracking bugs for this issue:

Affects: epel-6 [bug 1633040]
Affects: fedora-all [bug 1633039]


Created kompose tracking bugs for this issue:

Affects: fedora-all [bug 1633038]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1633037]

Comment 3 Siddharth Sharma 2018-10-11 06:46:07 EDT

upstream fix

https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908

Comment 4 Sam Fowler 2018-10-15 01:39:11 EDT

Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-6 [bug 1639103]
Affects: fedora-all [bug 1639102]

Comment 5 Scott Gayou 2018-10-16 17:17:12 EDT

RHEL7 (source from roughly 2014) not affected by reproducer. Most likely occurred when the template changes were merged in 2017. (guessing https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622)

Comment 6 Summer Long 2018-10-19 02:19:55 EDT

OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools 9 golang-googlecode-net does have the flawed code.

Note You need to log in before you can comment on or make changes to this bug.

admiller
ahardin
apevec
bleanhar
ccoleman
chrisw
dedgar
dustymabe
eparis
extras-orphan
fpokorny
hchiramm
jcajka
jchaloup
jgoulding
jjoyce
jmulligan
jokerman
jrivera
jschluet
kbasil
kramdoss
kumarpraveen.nitdgp
lhh
lpabon
lpeer
madam
markmc
mburns
mchappel
mmagr
ramkrsna
rbryant
rhs-bugs
sankarshan
sclewis
sisharma
slinaber
smohan
ssaha
storage-qa-internal
tdawson
tdecacqu
thrcka
vbatts
vbellur