Bug 2113814 (CVE-2022-32189) - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Summary: CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can pan...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32189
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2113951 2118439 2113815 2113816 2115724 2115725 2115726 2115727 2116750 2116751 2116752 2116753 2116754 2116755 2116756 2116757 2116758 2116759 2116760 2116761 2116762 2116763 2116764 2116765 2116766 2116767 2116768 2116769 2116770 2116771 2116772 2116773 2116774 2116775 2116776 2116777 2116778 2116779 2116780 2116781 2116782 2116783 2116784 2116785 2116786 2116787 2118437 2118438 2118440 2118441 2118442 2118443 2118444 2118445 2118446 2118447 2118448 2118449 2118450 2118451 2118452 2118453 2118454 2118455 2118456 2118457 2134427 2134428 2168805
Blocks: 2113817
TreeView+ depends on / blocked
 
Reported: 2022-08-02 05:21 UTC by TEJ RATHI
Modified: 2024-04-02 15:27 UTC (History)
152 users (show)

Fixed In Version: golang 1.17.13, golang 1.18.5
Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
Clone Of:
Environment:
Last Closed: 2023-05-18 19:12:07 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:31:57 UTC
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:16 UTC
Red Hat Product Errata RHSA-2022:7548 0 None None None 2022-11-08 09:33:27 UTC
Red Hat Product Errata RHSA-2022:7950 0 None None None 2022-11-15 09:47:22 UTC
Red Hat Product Errata RHSA-2022:8534 0 None None None 2022-11-24 04:08:58 UTC
Red Hat Product Errata RHSA-2022:8535 0 None None None 2022-11-24 04:14:15 UTC
Red Hat Product Errata RHSA-2022:8626 0 None None None 2022-11-28 20:43:45 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:37:43 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:20:54 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:27:47 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:30 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:03 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:51 UTC
Red Hat Product Errata RHSA-2023:2193 0 None None None 2023-05-09 07:15:56 UTC
Red Hat Product Errata RHSA-2023:2236 0 None None None 2023-05-09 07:20:22 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:35:13 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:09:45 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:18 UTC
Red Hat Product Errata RHSA-2023:3204 0 None None None 2023-05-18 00:36:30 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:18 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:54 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:51:48 UTC

Description TEJ RATHI 2022-08-02 05:21:23 UTC 
A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

References:
https://go.dev/issue/53871
https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU

Upstream Commits:
Master : https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66
Branch.go1.17 : https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102
Branch.go1.18 : https://github.com/golang/go/commit/9240558e4f342fc6e98fec22de17c04b45089349
Comment 1 TEJ RATHI 2022-08-02 05:23:50 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2113816]
Affects: fedora-all [bug 2113815]
Comment 9 errata-xmlrpc 2022-10-25 09:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 12 errata-xmlrpc 2022-11-08 09:33:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7548 https://access.redhat.com/errata/RHSA-2022:7548
Comment 14 errata-xmlrpc 2022-11-15 09:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7950 https://access.redhat.com/errata/RHSA-2022:7950
Comment 20 errata-xmlrpc 2022-11-24 04:08:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8534 https://access.redhat.com/errata/RHSA-2022:8534
Comment 21 errata-xmlrpc 2022-11-24 04:14:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8535 https://access.redhat.com/errata/RHSA-2022:8535
Comment 24 errata-xmlrpc 2022-11-28 20:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626
Comment 25 errata-xmlrpc 2022-12-08 07:37:37 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
Comment 44 errata-xmlrpc 2023-01-17 14:51:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
Comment 45 errata-xmlrpc 2023-01-30 17:20:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 53 errata-xmlrpc 2023-02-09 02:17:24 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 57 errata-xmlrpc 2023-03-15 19:55:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 58 errata-xmlrpc 2023-03-30 00:43:44 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 62 errata-xmlrpc 2023-05-09 07:15:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2193 https://access.redhat.com/errata/RHSA-2023:2193
Comment 63 errata-xmlrpc 2023-05-09 07:20:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2236 https://access.redhat.com/errata/RHSA-2023:2236
Comment 64 errata-xmlrpc 2023-05-09 07:35:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 67 errata-xmlrpc 2023-05-16 08:09:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 68 errata-xmlrpc 2023-05-16 08:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 70 errata-xmlrpc 2023-05-18 00:36:23 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204
Comment 71 errata-xmlrpc 2023-05-18 02:55:10 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 72 errata-xmlrpc 2023-05-18 14:27:39 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 73 Product Security DevOps Team 2023-05-18 19:11:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32189
Comment 74 errata-xmlrpc 2023-06-15 16:00:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 75 errata-xmlrpc 2023-06-22 19:51:42 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Note You need to log in before you can comment on or make changes to this bug.