Bug 2107388 (CVE-2022-30635) - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
Summary: CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
Keywords:
Status: NEW
Alias: CVE-2022-30635
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2107389 2111773 2111774 2111782 2111783 2115532 2115537 2115539 2115543 2115546 2115547 2134423 2109914 2109915 2109916 2109917 2110276 2110349 2111001 2111496 2111746 2111747 2111752 2111753 2111765 2111766 2111772 2111775 2112009 2112010 2115530 2115531 2115534 2115536 2115544 2115545 2115548 2115549 2115551 2123509 2123510 2123514 2123748 2123750 2123754 2134424
Blocks: 2108341
TreeView+ depends on / blocked
 
Reported: 2022-07-14 21:38 UTC by Anten Skrabec
Modified: 2023-01-24 13:35 UTC (History)
167 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 16:00:00 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:36:37 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:05:02 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:04:50 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:54:21 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:17:18 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:38:18 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:42:15 UTC
Red Hat Product Errata RHSA-2022:6283 0 None None None 2022-08-31 18:49:53 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:35:30 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:03:30 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:59:29 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:43:55 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:30:25 UTC
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:30:28 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:24:59 UTC
Red Hat Product Errata RHSA-2022:7648 0 None None None 2022-11-08 10:00:49 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:07:41 UTC
Red Hat Product Errata RHSA-2022:8250 0 None None None 2022-11-15 10:44:31 UTC
Red Hat Product Errata RHSA-2022:8634 0 None None None 2022-11-28 02:51:46 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:58:28 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:51 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:35:44 UTC

Description Anten Skrabec 2022-07-14 21:38:16 UTC
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

Comment 1 Anten Skrabec 2022-07-14 21:38:31 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107389]

Comment 7 Avinash Hanwate 2022-07-25 09:34:39 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110349]

Comment 17 errata-xmlrpc 2022-08-01 12:04:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775

Comment 18 errata-xmlrpc 2022-08-01 16:04:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799

Comment 19 errata-xmlrpc 2022-08-02 09:54:12 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866

Comment 22 errata-xmlrpc 2022-08-10 11:38:09 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 23 errata-xmlrpc 2022-08-10 13:17:09 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040

Comment 25 errata-xmlrpc 2022-08-31 18:49:46 UTC
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283

Comment 26 errata-xmlrpc 2022-09-01 05:42:08 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152

Comment 27 errata-xmlrpc 2022-09-06 12:59:20 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347

Comment 28 errata-xmlrpc 2022-09-06 13:03:23 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346

Comment 29 errata-xmlrpc 2022-09-06 13:43:46 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348

Comment 30 errata-xmlrpc 2022-09-06 14:35:23 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345

Comment 31 errata-xmlrpc 2022-09-06 22:30:19 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370

Comment 36 errata-xmlrpc 2022-10-25 09:30:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129

Comment 39 errata-xmlrpc 2022-11-08 09:24:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519

Comment 40 errata-xmlrpc 2022-11-08 10:00:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648

Comment 41 errata-xmlrpc 2022-11-15 10:07:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057

Comment 42 errata-xmlrpc 2022-11-15 10:44:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250

Comment 43 errata-xmlrpc 2022-11-28 02:51:40 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:8634 https://access.redhat.com/errata/RHSA-2022:8634

Comment 45 errata-xmlrpc 2022-12-15 01:58:20 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047

Comment 59 errata-xmlrpc 2023-01-24 12:49:44 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 60 errata-xmlrpc 2023-01-24 13:35:37 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408


Note You need to log in before you can comment on or make changes to this bug.