1633036 – (CVE-2018-17143) CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html

Bug 1633036 (CVE-2018-17143) - CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html

Summary: CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via craft...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-17143
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1633037 1633038 1633039 1633040 1638190 1639102 1639103 1651093
Blocks:	CVE-2018-17142 1633033
TreeView+	depends on / blocked

Reported:	2018-09-26 06:11 UTC by Sam Fowler
Modified:	2021-10-25 22:19 UTC (History)
CC List:	46 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-25 22:19:23 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-09-26 06:11:15 UTC

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.


Upstream Issue:

https://github.com/golang/go/issues/27704


Upstream Patch:

https://go-review.googlesource.com/c/net/+/136575

Comment 1 Sam Fowler 2018-09-26 06:12:18 UTC

Created heketi tracking bugs for this issue:

Affects: epel-6 [bug 1633040]
Affects: fedora-all [bug 1633039]


Created kompose tracking bugs for this issue:

Affects: fedora-all [bug 1633038]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1633037]

Comment 3 Siddharth Sharma 2018-10-11 10:46:07 UTC

upstream fix

https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908

Comment 4 Sam Fowler 2018-10-15 05:39:11 UTC

Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-6 [bug 1639103]
Affects: fedora-all [bug 1639102]

Comment 5 Scott Gayou 2018-10-16 21:17:12 UTC

RHEL7 (source from roughly 2014) not affected by reproducer. Most likely occurred when the template changes were merged in 2017. (guessing https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622)

Comment 6 Summer Long 2018-10-19 06:19:55 UTC

OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools 9 golang-googlecode-net does have the flawed code.

Comment 8 Joshua Padman 2019-08-21 02:27:56 UTC

Kompose was in DevTools as part of devsuite. Devsuite is now retired (https://developers.redhat.com/products/devsuite/overview/)

Note You need to log in before you can comment on or make changes to this bug.

admiller
ahardin
apevec
bleanhar
bmontgom
bodavis
ccoleman
chrisw
dedgar
dustymabe
eparis
extras-orphan
fpokorny
hchiramm
jarrpa
jburrell
jcajka
jchaloup
jgoulding
jjoyce
jmulligan
jokerman
jpadman
jschluet
kramdoss
kumarpraveen.nitdgp
lhh
lpabon
lpeer
madam
markmc
mburns
mchappel
mmagr
mnewsome
nstielau
ramkrsna
rbryant
rhs-bugs
sclewis
sisharma
slinaber
sponnaga
tdawson
tdecacqu
thrcka