Bug 1867099 (CVE-2020-16845) - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
Summary: CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited numbe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-16845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1859441 1859442 1865875 1866622 1866623 1866624 1866625 1866626 1866627 1866628 1866629 1866630 1866631 1866632 1866633 1866634 1866635 1866636 1866637 1866638 1866639 1866640 1866641 1866642 1866643 1866644 1866645 1866646 1866647 1866648 1866649 1866650 1866651 1866652 1866653 1866654 1866655 1866656 1866657 1866658 1866660 1866661 1866662 1866663 1866664 1866665 1866666 1866667 1866668 1866669 1866670 1866671 1866672 1866673 1866674 1866675 1866676 1866945 1866946 1867100 1867101 1867484 1867485 1867487 1867522 1867531 1867532 1867537 1867540 1867541 1867542 1867543 1867557 1869544 1869545 1869546 1873281 1873282 1873283 1873284 1873285 1874893 1875477 1878636 1881579 1883099 1883100 1883101 1883102 1883103 1883104 1883105 1883106 1883107 1883108 1883109 1883110 1883111 1883112 1883113 1883114 1883115 1883116 1883117 1883118 1883119 1883120 1883121 1883122 1883123 1883124 1883125 1883126 1883127 1883128 1883129 1883130 1932964 1932969 1933013 1933040 1933080 1941198 1941520 1941530 1941540 1941550 1941585
Blocks: 1867102
TreeView+ depends on / blocked
 
Reported: 2020-08-07 11:18 UTC by Michael Kaplan
Modified: 2023-02-07 17:07 UTC (History)
76 users (show)

Fixed In Version: Go 1.14.7, Go 1.13.15, Go 1.15rc2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:19:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ulikunitz xz issues 35 0 None closed [SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845 2021-02-09 06:09:09 UTC
Red Hat Product Errata RHSA-2020:3665 0 None None None 2020-09-08 09:48:01 UTC
Red Hat Product Errata RHSA-2020:4201 0 None None None 2020-10-06 23:54:27 UTC
Red Hat Product Errata RHSA-2020:4214 0 None None None 2020-10-08 10:51:08 UTC
Red Hat Product Errata RHSA-2020:4297 0 None None None 2020-10-27 14:54:07 UTC
Red Hat Product Errata RHSA-2020:5118 0 None None None 2020-11-24 12:42:13 UTC
Red Hat Product Errata RHSA-2020:5119 0 None None None 2020-11-24 11:56:19 UTC
Red Hat Product Errata RHSA-2020:5159 0 None None None 2020-11-30 15:04:42 UTC
Red Hat Product Errata RHSA-2020:5605 0 None None None 2020-12-17 06:22:20 UTC
Red Hat Product Errata RHSA-2020:5606 0 None None None 2020-12-17 05:42:22 UTC
Red Hat Product Errata RHSA-2020:5649 0 None None None 2020-12-22 04:58:48 UTC
Red Hat Product Errata RHSA-2021:0072 0 None None None 2021-01-11 21:59:15 UTC
Red Hat Product Errata RHSA-2021:0713 0 None None None 2021-03-11 04:46:54 UTC
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:15:43 UTC
Red Hat Product Errata RHSA-2021:4103 0 None None None 2021-11-02 13:31:35 UTC

Description Michael Kaplan 2020-08-07 11:18:07 UTC 
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

References:

https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q
https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo
Comment 1 Michael Kaplan 2020-08-07 11:18:54 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1867100]
Affects: fedora-all [bug 1867101]
Comment 2 Sam Fowler 2020-08-11 23:47:48 UTC 
External References:

https://groups.google.com/g/golang-announce/c/NyPIaucMgXo
Comment 4 Przemyslaw Roguski 2020-08-12 12:14:37 UTC 
upstream patch: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258%5E%21/
Comment 20 Dominik 'Rathann' Mierzejewski 2020-08-20 09:47:33 UTC 
golang-github-ulikunitz-xz is also affected and fix is included in 0.5.8.
Comment 25 Fedora Update System 2020-08-28 14:55:21 UTC 
FEDORA-2020-e384830a0d has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 26 Fedora Update System 2020-08-28 14:57:52 UTC 
FEDORA-2020-deff052e7a has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 33 Sage McTaggart 2020-09-03 14:47:33 UTC 
Statement:

OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low.

Red Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4)  components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.
Comment 36 errata-xmlrpc 2020-09-08 09:47:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665
Comment 37 Product Security DevOps Team 2020-09-08 13:19:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16845
Comment 42 errata-xmlrpc 2020-10-06 23:54:22 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.4
  RHEL-7-CNV-2.4

Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201
Comment 45 errata-xmlrpc 2020-10-08 10:50:56 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214
Comment 46 errata-xmlrpc 2020-10-27 14:54:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297
Comment 48 errata-xmlrpc 2020-11-24 11:56:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:5119 https://access.redhat.com/errata/RHSA-2020:5119
Comment 49 errata-xmlrpc 2020-11-24 12:42:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:5118 https://access.redhat.com/errata/RHSA-2020:5118
Comment 50 errata-xmlrpc 2020-11-30 15:04:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:5159 https://access.redhat.com/errata/RHSA-2020:5159
Comment 51 errata-xmlrpc 2020-12-17 05:42:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2020:5606 https://access.redhat.com/errata/RHSA-2020:5606
Comment 52 errata-xmlrpc 2020-12-17 06:22:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605
Comment 53 errata-xmlrpc 2020-12-22 04:58:45 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:5649 https://access.redhat.com/errata/RHSA-2020:5649
Comment 54 errata-xmlrpc 2021-01-11 21:59:51 UTC 
This issue has been addressed in the following products:

  OpenShift Serverless 1.9.0

Via RHSA-2021:0072 https://access.redhat.com/errata/RHSA-2021:0072
Comment 55 Mark Cooper 2021-02-11 15:43:17 UTC 
Used fixcvenames for http://127.0.0.1:5600/static/#/tracker/jboss/TRACING-1415

It seems the new golang-builder that was released in Nov 2020 actually fixed this: penshift-golang-builder-container-v1.14.0-202011132014.el7

It's misleading and is actually 1.14.9-2
Comment 56 errata-xmlrpc 2021-03-10 11:15:35 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 57 errata-xmlrpc 2021-03-11 04:46:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0713 https://access.redhat.com/errata/RHSA-2021:0713
Comment 58 errata-xmlrpc 2021-03-30 16:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0956 https://access.redhat.com/errata/RHSA-2021:0956
Comment 59 errata-xmlrpc 2021-04-13 23:32:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:1016 https://access.redhat.com/errata/RHSA-2021:1016
Comment 60 errata-xmlrpc 2021-05-04 19:32:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
Comment 61 errata-xmlrpc 2021-06-01 04:09:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122
Comment 63 errata-xmlrpc 2021-11-02 13:31:31 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.9
  RHEL-8-CNV-4.9

Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103
Note You need to log in before you can comment on or make changes to this bug.