Bug 1639109 – CVE-2018-17846 golang-org-x-net-html: infinite loop during html.Parse() via inSelectIM and inSelectInTableIM

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1639109 - (CVE-2018-17846) CVE-2018-17846 golang-org-x-net-html: infinite loop during html.Parse() via inSelectIM and inSelectInTableIM

Summary:	CVE-2018-17846 golang-org-x-net-html: infinite loop during html.Parse() via i...

Status:	NEW

Aliases:	CVE-2018-17846

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20181001,repor...
Keywords:	Security

Depends On:	1639110 1639111 1639112 1639114 1639115 1639113
Blocks:	1633033
	Show dependency tree / graph

Reported:	2018-10-15 02:07 EDT by Sam Fowler
Modified:	2018-10-30 00:38 EDT (History)
CC List:	47 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-10-15 02:07:12 EDT

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.


Upstream Issue:

https://github.com/golang/go/issues/27842

Comment 1 Sam Fowler 2018-10-15 02:08:17 EDT

Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-6 [bug 1639115]
Affects: fedora-all [bug 1639114]


Created heketi tracking bugs for this issue:

Affects: epel-6 [bug 1639113]
Affects: fedora-all [bug 1639112]


Created kompose tracking bugs for this issue:

Affects: fedora-all [bug 1639111]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1639110]

Comment 2 Scott Gayou 2018-10-16 17:48:49 EDT

Potential Upstream Fix:

https://go-review.googlesource.com/c/net/+/137275

While the patch does look applicable, I am unable to reproduce this on RHEL.

time ./poc

real	0m0.007s
user	0m0.002s
sys	0m0.005s

Comment 3 Summer Long 2018-10-30 00:38:00 EDT

OpenStack OpTools 8 and 9 grafana versions do not include net/html, which has the flawed code, setting these to NotAffected.

Note You need to log in before you can comment on or make changes to this bug.

admiller
ahardin
apevec
bleanhar
ccoleman
chrisw
dedgar
dustymabe
eparis
extras-orphan
fpokorny
hchiramm
jcajka
jchaloup
jgoulding
jjoyce
jmulligan
jokerman
jrivera
jschluet
kbasil
kramdoss
kumarpraveen.nitdgp
lhh
lpabon
lpeer
madam
markmc
mburns
mchappel
mmagr
ramkrsna
rbryant
rhs-bugs
sankarshan
sclewis
sfowler
sisharma
slinaber
smohan
ssaha
storage-qa-internal
tdawson
tdecacqu
thrcka
vbatts
vbellur