Bug 2292787 (CVE-2024-24790) - CVE-2024-24790 golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Summary: CVE-2024-24790 golang: net/netip: Unexpected behavior from Is methods for IPv...
Keywords:
Status: NEW
Alias: CVE-2024-24790
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2292963 2292964 2292965 2349925 2351368 2292918 2292919 2292929 2292931 2292932 2292933 2292934 2292935 2292936 2292937 2292938 2292939 2292940 2292941 2292960 2292966 2292967 2292969 2295971 2351367 2351370 2351371
Blocks: 2292754
TreeView+ depends on / blocked
 
Reported: 2024-06-17 22:04 UTC by Marco Benatto
Modified: 2025-05-15 08:28 UTC (History)
174 users (show)

Fixed In Version: golang 1.22.4, golang 1.21.11
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4490 0 None None None 2024-07-11 08:15:44 UTC
Red Hat Product Errata RHSA-2024:10186 0 None None None 2024-11-22 01:07:26 UTC
Red Hat Product Errata RHSA-2024:10775 0 None None None 2024-12-04 01:00:10 UTC
Red Hat Product Errata RHSA-2024:10906 0 None None None 2024-12-10 01:38:34 UTC
Red Hat Product Errata RHSA-2024:4212 0 None None None 2024-07-02 09:01:26 UTC
Red Hat Product Errata RHSA-2024:4237 0 None None None 2024-07-02 15:22:24 UTC
Red Hat Product Errata RHSA-2024:4613 0 None None None 2024-07-24 18:53:39 UTC
Red Hat Product Errata RHSA-2024:4697 0 None None None 2024-07-22 10:11:34 UTC
Red Hat Product Errata RHSA-2024:4785 0 None None None 2024-08-07 00:48:29 UTC
Red Hat Product Errata RHSA-2024:4872 0 None None None 2024-07-25 14:44:20 UTC
Red Hat Product Errata RHSA-2024:4893 0 None None None 2024-07-29 00:17:21 UTC
Red Hat Product Errata RHSA-2024:4982 0 None None None 2024-08-01 19:11:33 UTC
Red Hat Product Errata RHSA-2024:5075 0 None None None 2024-08-07 10:36:03 UTC
Red Hat Product Errata RHSA-2024:5077 0 None None None 2024-08-07 10:53:04 UTC
Red Hat Product Errata RHSA-2024:5202 0 None None None 2024-08-19 05:12:30 UTC
Red Hat Product Errata RHSA-2024:5291 0 None None None 2024-08-13 15:25:37 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:41:45 UTC
Red Hat Product Errata RHSA-2024:5436 0 None None None 2024-08-22 11:56:11 UTC
Red Hat Product Errata RHSA-2024:5439 0 None None None 2024-08-22 11:43:03 UTC
Red Hat Product Errata RHSA-2024:5442 0 None None None 2024-08-22 11:58:30 UTC
Red Hat Product Errata RHSA-2024:5444 0 None None None 2024-08-22 11:43:29 UTC
Red Hat Product Errata RHSA-2024:5446 0 None None None 2024-08-22 12:14:44 UTC
Red Hat Product Errata RHSA-2024:5547 0 None None None 2024-08-19 07:42:24 UTC
Red Hat Product Errata RHSA-2024:5808 0 None None None 2024-08-29 03:08:05 UTC
Red Hat Product Errata RHSA-2024:6341 0 None None None 2024-10-23 00:30:45 UTC
Red Hat Product Errata RHSA-2024:6462 0 None None None 2024-09-09 00:49:25 UTC
Red Hat Product Errata RHSA-2024:6765 0 None None None 2024-09-18 16:04:16 UTC
Red Hat Product Errata RHSA-2024:7174 0 None None None 2024-10-02 05:28:00 UTC
Red Hat Product Errata RHSA-2024:7987 0 None None None 2024-10-10 20:29:01 UTC
Red Hat Product Errata RHSA-2024:8418 0 None None None 2024-10-30 01:29:57 UTC
Red Hat Product Errata RHSA-2024:8876 0 None None None 2024-11-05 04:01:15 UTC
Red Hat Product Errata RHSA-2024:9115 0 None None None 2024-11-12 08:48:46 UTC
Red Hat Product Errata RHSA-2024:9583 0 None None None 2024-11-13 18:01:00 UTC
Red Hat Product Errata RHSA-2025:7256 0 None None None 2025-05-13 10:29:36 UTC

Description Marco Benatto 2024-06-17 22:04:09 UTC 
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

http://www.openwall.com/lists/oss-security/2024/06/04/1
https://go.dev/cl/590316
https://go.dev/issue/67680
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://pkg.go.dev/vuln/GO-2024-2887
Comment 1 Marco Benatto 2024-06-18 16:45:15 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2292918]
Affects: fedora-all [bug 2292919]
Comment 23 Tom Sweeney 2024-06-18 19:42:46 UTC 
This looks like it will be fixed in the next version of Golang 1.22 and 1.21.  I believe that will be Go 1.22.5 and 1.21.12.  Can someone from ProdSec or the Go team verify this, please, and add a "Fixed in Version" to this BZ?
Comment 28 errata-xmlrpc 2024-07-02 09:01:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4212 https://access.redhat.com/errata/RHSA-2024:4212
Comment 29 errata-xmlrpc 2024-07-02 15:22:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4237 https://access.redhat.com/errata/RHSA-2024:4237
Comment 30 errata-xmlrpc 2024-07-22 10:11:24 UTC 
This issue has been addressed in the following products:

  Cryostat 3 on RHEL 8

Via RHSA-2024:4697 https://access.redhat.com/errata/RHSA-2024:4697
Comment 31 errata-xmlrpc 2024-07-24 18:53:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613
Comment 32 errata-xmlrpc 2024-07-25 14:44:10 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872
Comment 33 errata-xmlrpc 2024-07-29 00:17:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:4893 https://access.redhat.com/errata/RHSA-2024:4893
Comment 34 errata-xmlrpc 2024-08-01 19:11:26 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:4982 https://access.redhat.com/errata/RHSA-2024:4982
Comment 35 errata-xmlrpc 2024-08-07 00:48:21 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:4785 https://access.redhat.com/errata/RHSA-2024:4785
Comment 36 errata-xmlrpc 2024-08-07 10:35:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5075 https://access.redhat.com/errata/RHSA-2024:5075
Comment 37 errata-xmlrpc 2024-08-07 10:52:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5077 https://access.redhat.com/errata/RHSA-2024:5077
Comment 38 errata-xmlrpc 2024-08-13 15:25:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5291 https://access.redhat.com/errata/RHSA-2024:5291
Comment 39 errata-xmlrpc 2024-08-19 05:12:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5202 https://access.redhat.com/errata/RHSA-2024:5202
Comment 40 errata-xmlrpc 2024-08-19 07:42:16 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547
Comment 41 errata-xmlrpc 2024-08-22 11:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 42 errata-xmlrpc 2024-08-22 11:42:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5439 https://access.redhat.com/errata/RHSA-2024:5439
Comment 43 errata-xmlrpc 2024-08-22 11:43:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444
Comment 44 errata-xmlrpc 2024-08-22 11:56:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5436 https://access.redhat.com/errata/RHSA-2024:5436
Comment 45 errata-xmlrpc 2024-08-22 11:58:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5442 https://access.redhat.com/errata/RHSA-2024:5442
Comment 46 errata-xmlrpc 2024-08-22 12:14:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5446 https://access.redhat.com/errata/RHSA-2024:5446
Comment 47 errata-xmlrpc 2024-08-29 03:07:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5808 https://access.redhat.com/errata/RHSA-2024:5808
Comment 49 errata-xmlrpc 2024-09-09 00:49:16 UTC 
This issue has been addressed in the following products:

  Cost Management for RHEL 8

Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462
Comment 50 errata-xmlrpc 2024-09-18 16:04:06 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765
Comment 52 errata-xmlrpc 2024-10-02 05:27:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:7174 https://access.redhat.com/errata/RHSA-2024:7174
Comment 54 errata-xmlrpc 2024-10-10 20:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:7987 https://access.redhat.com/errata/RHSA-2024:7987
Comment 55 errata-xmlrpc 2024-10-23 00:30:34 UTC 
This issue has been addressed in the following products:

  KDO-5.1-RHEL-9

Via RHSA-2024:6341 https://access.redhat.com/errata/RHSA-2024:6341
Comment 58 errata-xmlrpc 2024-10-30 01:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8418 https://access.redhat.com/errata/RHSA-2024:8418
Comment 59 errata-xmlrpc 2024-11-05 04:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:8876 https://access.redhat.com/errata/RHSA-2024:8876
Comment 60 errata-xmlrpc 2024-11-12 08:48:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115
Comment 61 errata-xmlrpc 2024-11-13 18:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583
Comment 62 errata-xmlrpc 2024-11-22 01:07:17 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 65 errata-xmlrpc 2024-12-04 01:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775
Comment 66 errata-xmlrpc 2024-12-10 01:38:23 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 73 errata-xmlrpc 2025-05-13 10:29:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7256 https://access.redhat.com/errata/RHSA-2025:7256
Note You need to log in before you can comment on or make changes to this bug.