Bug 2107342 (CVE-2022-30631) - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
Summary: CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
Keywords:
Status: NEW
Alias: CVE-2022-30631
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2107343 2111759 2111760 2111773 2111774 2111790 2111791 2111805 2111806 2111807 2111821 2111822 2111827 2111828 2112050 2112051 2112052 2112053 2112055 2112059 2112060 2112061 2112064 2112071 2112072 2112073 2112085 2115442 2115443 2115449 2115566 2115567 2115568 2115569 2117339 2117341 2109556 2109557 2109558 2109559 2109560 2109561 2109562 2109563 2109564 2109565 2109566 2109638 2109639 2110309 2110724 2111001 2111482 2111484 2111746 2111747 2111752 2111753 2111758 2111765 2111766 2111767 2111772 2111775 2111786 2111789 2111792 2111796 2111797 2111798 2111808 2111816 2111823 2111826 2111829 2111830 2111831 2111833 2111983 2111986 2112054 2112056 2112057 2112058 2112062 2112063 2112065 2112066 2112067 2112068 2112069 2112070 2112074 2112075 2112076 2112077 2112078 2112080 2112081 2112082 2112083 2112084 2114790 2114791 2114793 2115439 2115440 2115441 2115444 2115445 2115446 2115447 2115448 2115450 2115451 2115577 2115578 2115579 2115580 2115581 2115582 2115583 2115584 2115585 2115586 2115587 2115588 2115589 2115590 2115591 2115592 2115593 2115594 2115595 2115596 2115597 2115598 2115599 2115600 2116910 2116911 2116912 2116913 2116914 2116915 2116916 2116917 2116918 2116919 2123509 2123510 2123514 2123748 2123750 2123754
Blocks: 2108711
TreeView+ depends on / blocked
 
Reported: 2022-07-14 18:48 UTC by Anten Skrabec
Modified: 2023-02-02 02:06 UTC (History)
257 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 15:59:31 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:35:53 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:04:06 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:04:06 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:53:33 UTC
Red Hat Product Errata RHSA-2022:5875 0 None None None 2022-08-09 02:36:13 UTC
Red Hat Product Errata RHSA-2022:5923 0 None None None 2022-08-08 16:42:44 UTC
Red Hat Product Errata RHSA-2022:5924 0 None None None 2022-08-08 16:57:34 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:16:01 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:37:25 UTC
Red Hat Product Errata RHSA-2022:6051 0 None None None 2022-08-18 16:05:00 UTC
Red Hat Product Errata RHSA-2022:6053 0 None None None 2022-08-22 21:15:37 UTC
Red Hat Product Errata RHSA-2022:6061 0 None None None 2022-08-15 09:17:35 UTC
Red Hat Product Errata RHSA-2022:6062 0 None None None 2022-08-15 09:18:58 UTC
Red Hat Product Errata RHSA-2022:6065 0 None None None 2022-08-15 09:44:51 UTC
Red Hat Product Errata RHSA-2022:6066 0 None None None 2022-08-15 09:46:19 UTC
Red Hat Product Errata RHSA-2022:6103 0 None None None 2022-08-23 15:08:11 UTC
Red Hat Product Errata RHSA-2022:6113 0 None None None 2022-08-18 15:10:37 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:41:17 UTC
Red Hat Product Errata RHSA-2022:6182 0 None None None 2022-09-06 13:22:36 UTC
Red Hat Product Errata RHSA-2022:6183 0 None None None 2022-09-06 13:32:38 UTC
Red Hat Product Errata RHSA-2022:6184 0 None None None 2022-08-25 05:50:11 UTC
Red Hat Product Errata RHSA-2022:6187 0 None None None 2022-08-25 10:09:14 UTC
Red Hat Product Errata RHSA-2022:6188 0 None None None 2022-08-25 11:21:20 UTC
Red Hat Product Errata RHSA-2022:6262 0 None None None 2022-09-09 05:15:04 UTC
Red Hat Product Errata RHSA-2022:6290 0 None None None 2022-09-01 01:25:16 UTC
Red Hat Product Errata RHSA-2022:6308 0 None None None 2022-09-14 20:38:55 UTC
Red Hat Product Errata RHSA-2022:6344 0 None None None 2022-09-06 17:00:47 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:33:50 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:02:35 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:58:27 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:42:57 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:29:35 UTC
Red Hat Product Errata RHSA-2022:6429 0 None None None 2022-09-13 00:58:46 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:20 UTC
Red Hat Product Errata RHSA-2022:6517 0 None None None 2022-09-14 12:48:49 UTC
Red Hat Product Errata RHSA-2022:6560 0 None None None 2022-09-26 09:41:26 UTC
Red Hat Product Errata RHSA-2022:6714 0 None None None 2022-09-26 15:27:29 UTC
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:12 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:26:02 UTC
Red Hat Product Errata RHSA-2022:7529 0 None None None 2022-11-08 09:28:29 UTC
Red Hat Product Errata RHSA-2022:7648 0 None None None 2022-11-08 10:00:12 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:06:36 UTC
Red Hat Product Errata RHSA-2022:8098 0 None None None 2022-11-15 10:14:51 UTC
Red Hat Product Errata RHSA-2022:8250 0 None None None 2022-11-15 10:43:50 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:11 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:35:01 UTC

Description Anten Skrabec 2022-07-14 18:48:09 UTC
Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

Comment 1 Anten Skrabec 2022-07-14 18:49:08 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107343]

Comment 10 Avinash Hanwate 2022-07-25 07:34:14 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110309]

Comment 31 errata-xmlrpc 2022-08-01 12:03:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775

Comment 32 errata-xmlrpc 2022-08-01 16:03:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799

Comment 33 errata-xmlrpc 2022-08-02 09:53:22 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866

Comment 41 errata-xmlrpc 2022-08-08 16:42:32 UTC
This issue has been addressed in the following products:

  Service Telemetry Framework 1.3 for RHEL 8

Via RHSA-2022:5923 https://access.redhat.com/errata/RHSA-2022:5923

Comment 42 errata-xmlrpc 2022-08-08 16:57:23 UTC
This issue has been addressed in the following products:

  Service Telemetry Framework 1.4 for RHEL 8

Via RHSA-2022:5924 https://access.redhat.com/errata/RHSA-2022:5924

Comment 43 errata-xmlrpc 2022-08-09 02:36:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5875 https://access.redhat.com/errata/RHSA-2022:5875

Comment 46 errata-xmlrpc 2022-08-10 11:37:13 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 47 errata-xmlrpc 2022-08-10 13:15:49 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040

Comment 52 errata-xmlrpc 2022-08-15 09:17:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:6061 https://access.redhat.com/errata/RHSA-2022:6061

Comment 53 errata-xmlrpc 2022-08-15 09:18:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:6062 https://access.redhat.com/errata/RHSA-2022:6062

Comment 54 errata-xmlrpc 2022-08-15 09:44:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:6065 https://access.redhat.com/errata/RHSA-2022:6065

Comment 55 errata-xmlrpc 2022-08-15 09:46:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:6066 https://access.redhat.com/errata/RHSA-2022:6066

Comment 67 errata-xmlrpc 2022-08-18 15:10:25 UTC
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113

Comment 68 errata-xmlrpc 2022-08-18 16:04:48 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:6051 https://access.redhat.com/errata/RHSA-2022:6051

Comment 70 errata-xmlrpc 2022-08-22 21:15:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:6053 https://access.redhat.com/errata/RHSA-2022:6053

Comment 71 errata-xmlrpc 2022-08-23 15:07:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6103 https://access.redhat.com/errata/RHSA-2022:6103

Comment 72 errata-xmlrpc 2022-08-25 05:49:59 UTC
This issue has been addressed in the following products:

  Self Node Remediation 0.4 for RHEL 8

Via RHSA-2022:6184 https://access.redhat.com/errata/RHSA-2022:6184

Comment 73 errata-xmlrpc 2022-08-25 10:09:01 UTC
This issue has been addressed in the following products:

  Node Healthcheck Operator 0.3 for RHEL 8

Via RHSA-2022:6187 https://access.redhat.com/errata/RHSA-2022:6187

Comment 74 errata-xmlrpc 2022-08-25 11:21:07 UTC
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188

Comment 75 errata-xmlrpc 2022-09-01 01:25:05 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:6290 https://access.redhat.com/errata/RHSA-2022:6290

Comment 76 errata-xmlrpc 2022-09-01 05:41:08 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152

Comment 77 errata-xmlrpc 2022-09-06 12:58:18 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347

Comment 78 errata-xmlrpc 2022-09-06 13:02:25 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346

Comment 79 errata-xmlrpc 2022-09-06 13:22:26 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:6182 https://access.redhat.com/errata/RHSA-2022:6182

Comment 80 errata-xmlrpc 2022-09-06 13:32:28 UTC
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:6183 https://access.redhat.com/errata/RHSA-2022:6183

Comment 81 errata-xmlrpc 2022-09-06 13:42:47 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348

Comment 82 errata-xmlrpc 2022-09-06 14:33:40 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345

Comment 83 errata-xmlrpc 2022-09-06 17:00:33 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:6344 https://access.redhat.com/errata/RHSA-2022:6344

Comment 84 errata-xmlrpc 2022-09-06 22:29:24 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370

Comment 85 errata-xmlrpc 2022-09-09 05:14:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:6262 https://access.redhat.com/errata/RHSA-2022:6262

Comment 86 errata-xmlrpc 2022-09-13 00:58:37 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429

Comment 87 errata-xmlrpc 2022-09-13 02:10:08 UTC
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430

Comment 88 errata-xmlrpc 2022-09-14 12:48:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:6517 https://access.redhat.com/errata/RHSA-2022:6517

Comment 89 errata-xmlrpc 2022-09-14 20:38:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6308 https://access.redhat.com/errata/RHSA-2022:6308

Comment 92 errata-xmlrpc 2022-09-26 09:41:14 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:6560 https://access.redhat.com/errata/RHSA-2022:6560

Comment 93 errata-xmlrpc 2022-09-26 15:27:17 UTC
This issue has been addressed in the following products:

  RHACS-3.72-RHEL-8

Via RHSA-2022:6714 https://access.redhat.com/errata/RHSA-2022:6714

Comment 99 errata-xmlrpc 2022-11-08 09:25:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519

Comment 100 errata-xmlrpc 2022-11-08 09:28:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529

Comment 101 errata-xmlrpc 2022-11-08 10:00:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648

Comment 102 errata-xmlrpc 2022-11-15 10:06:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057

Comment 103 errata-xmlrpc 2022-11-15 10:14:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8098 https://access.redhat.com/errata/RHSA-2022:8098

Comment 104 errata-xmlrpc 2022-11-15 10:43:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250

Comment 124 errata-xmlrpc 2023-01-17 14:51:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398

Comment 125 errata-xmlrpc 2023-01-24 12:48:59 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 126 errata-xmlrpc 2023-01-24 13:34:48 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408


Note You need to log in before you can comment on or make changes to this bug.