Bug 2268021 (CVE-2024-24784) - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
Summary: CVE-2024-24784 golang: net/mail: comments in display names are incorrectly ha...
Keywords:
Status: NEW
Alias: CVE-2024-24784
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2268250 2268251 2276465 2276466 2276467 2276468 2276469 2276470 2276471 2276472 2276473 2276474 2292182 2292183 2349673
Blocks: 2268016
TreeView+ depends on / blocked
 
Reported: 2024-03-06 02:06 UTC by Robb Gatica
Modified: 2026-02-20 08:28 UTC (History)
86 users (show)

Fixed In Version: go 1.21.8, go 1.22.1
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4031 0 None None None 2024-06-20 14:52:04 UTC
Red Hat Product Errata RHBA-2024:4032 0 None None None 2024-06-20 14:52:19 UTC
Red Hat Product Errata RHBA-2024:4033 0 None None None 2024-06-20 15:40:00 UTC
Red Hat Product Errata RHBA-2024:5335 0 None None None 2024-08-13 17:32:51 UTC
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:24:02 UTC
Red Hat Product Errata RHSA-2024:0045 0 None None None 2024-06-27 13:01:18 UTC
Red Hat Product Errata RHSA-2024:1616 0 None None None 2024-07-01 00:29:01 UTC
Red Hat Product Errata RHSA-2024:2562 0 None None None 2024-04-30 14:39:49 UTC
Red Hat Product Errata RHSA-2024:3259 0 None None None 2024-05-22 11:37:43 UTC
Red Hat Product Errata RHSA-2024:3617 0 None None None 2024-07-01 00:53:15 UTC
Red Hat Product Errata RHSA-2024:3621 0 None None None 2024-06-05 05:15:47 UTC
Red Hat Product Errata RHSA-2024:3637 0 None None None 2024-07-01 00:40:07 UTC
Red Hat Product Errata RHSA-2024:3790 0 None None None 2024-06-11 02:33:31 UTC
Red Hat Product Errata RHSA-2024:4023 0 None None None 2024-06-20 12:37:41 UTC
Red Hat Product Errata RHSA-2024:4028 0 None None None 2024-06-20 13:20:30 UTC
Red Hat Product Errata RHSA-2024:4520 0 None None None 2024-07-11 17:32:45 UTC
Red Hat Product Errata RHSA-2024:5258 0 None None None 2024-08-13 00:38:21 UTC
Red Hat Product Errata RHSA-2024:6969 0 None None None 2024-09-24 03:21:31 UTC
Red Hat Product Errata RHSA-2024:9485 0 None None None 2024-11-13 13:15:45 UTC
Red Hat Product Errata RHSA-2025:9775 0 None None None 2025-06-26 12:11:03 UTC

Description Robb Gatica 2024-03-06 02:06:29 UTC
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

https://github.com/golang/go/issues/65083

Comment 3 Robb Gatica 2024-03-06 19:40:21 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2268251]
Affects: fedora-all [bug 2268250]

Comment 9 errata-xmlrpc 2024-04-30 14:39:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562

Comment 12 errata-xmlrpc 2024-05-22 11:37:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3259 https://access.redhat.com/errata/RHSA-2024:3259

Comment 13 errata-xmlrpc 2024-06-05 05:15:42 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.2

Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621

Comment 15 errata-xmlrpc 2024-06-11 02:33:26 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:3790 https://access.redhat.com/errata/RHSA-2024:3790

Comment 17 errata-xmlrpc 2024-06-20 12:37:34 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:4023 https://access.redhat.com/errata/RHSA-2024:4023

Comment 18 errata-xmlrpc 2024-06-20 13:20:22 UTC
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028

Comment 19 errata-xmlrpc 2024-06-27 11:23:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041

Comment 20 errata-xmlrpc 2024-06-27 13:01:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045

Comment 21 errata-xmlrpc 2024-07-01 00:28:54 UTC
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:1616 https://access.redhat.com/errata/RHSA-2024:1616

Comment 22 errata-xmlrpc 2024-07-01 00:40:01 UTC
This issue has been addressed in the following products:

  OSSO-1.3-RHEL-9

Via RHSA-2024:3637 https://access.redhat.com/errata/RHSA-2024:3637

Comment 23 errata-xmlrpc 2024-07-01 00:53:09 UTC
This issue has been addressed in the following products:

  KDO-5.0-RHEL-9

Via RHSA-2024:3617 https://access.redhat.com/errata/RHSA-2024:3617

Comment 24 errata-xmlrpc 2024-07-11 17:32:39 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520

Comment 25 errata-xmlrpc 2024-08-13 00:38:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258

Comment 26 errata-xmlrpc 2024-09-24 03:21:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969

Comment 27 errata-xmlrpc 2024-11-13 13:15:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift PODIFIED 1.0

Via RHSA-2024:9485 https://access.redhat.com/errata/RHSA-2024:9485

Comment 34 errata-xmlrpc 2025-06-26 12:10:55 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.1

Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775

Comment 35 Dan682Lee 2026-02-06 06:19:55 UTC
The issue with ParseAddressList is that it mishandles comments (text in parentheses) inside display names, which makes its behavior diverge from conforming address parsers. This inconsistency can be problematic because different programs may interpret the same address string differently, leading to mismatched trust decisions or security checks. In practice, it means one parser might accept or trust an address while another rejects or flags it, creating potential vulnerabilities or confusion in systems that rely on consistent parsing.
 https://www.greensky-online.com


Note You need to log in before you can comment on or make changes to this bug.