Bug 1401985 (CVE-2017-1000098) - CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy
Summary: CVE-2017-1000098 golang: net/http: multipart ReadForm close file after copy
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-1000098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1401987 1401988 1405647 1405648
Blocks: 1401989
TreeView+ depends on / blocked
 
Reported: 2016-12-06 14:10 UTC by Adam Mariš
Modified: 2021-10-21 11:48 UTC (History)
38 users (show)

Fixed In Version: golang 1.6.4, golang 1.7.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-21 11:48:28 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2016-12-06 14:10:09 UTC
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

Upstream bug:

https://github.com/golang/go/issues/17965

Upstream patch:

https://go-review.googlesource.com/#/c/30410/

External Reference:

https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ

Comment 1 Adam Mariš 2016-12-06 14:11:07 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1401987]
Affects: epel-all [bug 1401988]


Note You need to log in before you can comment on or make changes to this bug.