Bug 1633041 (CVE-2018-17075) - CVE-2018-17075 golang-org-x-net-html: Mishandle of "in frameset" causes runtime panic in html.Parse() via crafted html
Summary: CVE-2018-17075 golang-org-x-net-html: Mishandle of "in frameset" causes runti...
Alias: CVE-2018-17075
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1633042 1633043 1633044 1639107 1633045 1639106
Blocks: CVE-2018-17142 1633033
TreeView+ depends on / blocked
Reported: 2018-09-26 06:14 UTC by Sam Fowler
Modified: 2020-07-08 08:56 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-21 02:47:00 UTC

Attachments (Terms of Use)

Description Sam Fowler 2018-09-26 06:14:36 UTC
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit.

Upstream Issue:


Upstream Patch:


Comment 1 Sam Fowler 2018-09-26 06:18:54 UTC
Created heketi tracking bugs for this issue:

Affects: epel-6 [bug 1633045]
Affects: fedora-all [bug 1633044]

Created kompose tracking bugs for this issue:

Affects: fedora-all [bug 1633043]

Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1633042]

Comment 2 Sam Fowler 2018-10-15 05:41:59 UTC
Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-6 [bug 1639107]
Affects: fedora-all [bug 1639106]

Comment 3 Scott Gayou 2018-10-16 21:24:44 UTC
RHEL7 (source from roughly 2014) not affected by reproducer. Most likely occurred when the template changes were merged in 2017. (guessing https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622)

Source analysis doesn't hint that this may be affected either, missing template etc.

Comment 4 Summer Long 2018-10-19 06:21:35 UTC
OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools 9 golang-googlecode-net does not have the flawed code (already fixed).

Comment 5 Joshua Padman 2019-08-21 02:27:43 UTC
Kompose was in DevTools as part of devsuite. Devsuite is now retired (https://developers.redhat.com/products/devsuite/overview/)

Comment 6 Product Security DevOps Team 2019-08-21 02:47:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.