Bug 1867099 (CVE-2020-16845) - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
Summary: CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited numbe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-16845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1859441 1859442 1866622 1866623 1866624 1866625 1866626 1866627 1866628 1866629 1866630 1866631 1866632 1866633 1866634 1866635 1866636 1866637 1866638 1866639 1866640 1866641 1866642 1866643 1866644 1866645 1866646 1866647 1866648 1866649 1866650 1866651 1866652 1866653 1866654 1866655 1866656 1866657 1866658 1866660 1866661 1866662 1866663 1866664 1866665 1866666 1866667 1866668 1866669 1866670 1866671 1866672 1866673 1866674 1866675 1866676 1866945 1866946 1867484 1867485 1867487 1867531 1867532 1867540 1867541 1867542 1867543 1867557 1869544 1873283 1873285 1875477 1883104 1865875 1867100 1867101 1867522 1867537 1869545 1869546 1873281 1873282 1873284 1874893 1878636 1881579 1883099 1883100 1883101 1883102 1883103 1883105 1883106 1883107 1883108 1883109 1883110 1883111 1883112 1883113 1883114 1883115 1883116 1883117 1883118 1883119 1883120 1883121 1883122 1883123 1883124 1883125 1883126 1883127 1883128 1883129 1883130
Blocks: 1867102
TreeView+ depends on / blocked
 
Reported: 2020-08-07 11:18 UTC by Michael Kaplan
Modified: 2020-10-27 14:54 UTC (History)
75 users (show)

Fixed In Version: Go 1.14.7, Go 1.13.15
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go encoding/binary package. Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:19:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github ulikunitz xz issues 35 None closed [SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845 2020-10-14 13:27:28 UTC
Red Hat Product Errata RHSA-2020:3665 None None None 2020-09-08 09:48:01 UTC
Red Hat Product Errata RHSA-2020:4201 None None None 2020-10-06 23:54:27 UTC
Red Hat Product Errata RHSA-2020:4214 None None None 2020-10-08 10:51:08 UTC
Red Hat Product Errata RHSA-2020:4297 None None None 2020-10-27 14:54:07 UTC

Description Michael Kaplan 2020-08-07 11:18:07 UTC
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

References:

https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q
https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo

Comment 1 Michael Kaplan 2020-08-07 11:18:54 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1867100]
Affects: fedora-all [bug 1867101]

Comment 2 Sam Fowler 2020-08-11 23:47:48 UTC
External References:

https://groups.google.com/g/golang-announce/c/NyPIaucMgXo

Comment 4 Przemyslaw Roguski 2020-08-12 12:14:37 UTC
upstream patch: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258%5E%21/

Comment 20 Dominik 'Rathann' Mierzejewski 2020-08-20 09:47:33 UTC
golang-github-ulikunitz-xz is also affected and fix is included in 0.5.8.

Comment 25 Fedora Update System 2020-08-28 14:55:21 UTC
FEDORA-2020-e384830a0d has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 26 Fedora Update System 2020-08-28 14:57:52 UTC
FEDORA-2020-deff052e7a has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 33 amctagga 2020-09-03 14:47:33 UTC
Statement:

OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low.

Red Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4)  components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.

Comment 36 errata-xmlrpc 2020-09-08 09:47:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665

Comment 37 Product Security DevOps Team 2020-09-08 13:19:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16845

Comment 42 errata-xmlrpc 2020-10-06 23:54:22 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-2.4
  RHEL-7-CNV-2.4

Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201

Comment 45 errata-xmlrpc 2020-10-08 10:50:56 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214

Comment 46 errata-xmlrpc 2020-10-27 14:54:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297


Note You need to log in before you can comment on or make changes to this bug.