Bug 2100495 (CVE-2021-38561) - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Summary: CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-38561
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2101723 2101726 2100874 2101722 2101724 2101725 2105475 2105476 2105477 2105478 2105479 2105480 2105481 2105482 2105483 2105484 2105485 2105486 2105487 2105488 2105489 2105491 2105492 2105493 2105494 2105495 2105496 2105497 2105498 2105499 2105500 2105501 2105502 2105503 2105504 2105507 2105511 2105512 2105513 2105514 2105515 2105516 2105517 2105518 2105519 2105520 2105523 2105524 2105525 2105526 2105527 2105528 2105529 2105530 2105531 2105532 2105533 2105534 2105535 2105536 2105537 2105538 2105539 2105540 2105541 2105542 2105543 2105544 2105545 2105546 2105547 2105549 2105550 2105551 2105552 2105553 2105554 2105555 2105556 2105557 2105558 2105560 2105561 2105562 2105563 2105564 2105565 2105566 2105567 2105568 2105569 2105570 2105571 2105572 2105573 2105574 2105575 2105576 2105577 2105578 2105579 2105580 2105581 2105582 2105583 2105584 2105585 2105586 2105587 2105588 2105589 2105590 2105591 2105592 2105593 2105594 2105595 2105596 2105597 2105598 2105599 2109208 2109209 2109210 2109212 2109213 2109214 2110690 2112745 2112746 2112747
Blocks: 2100485
TreeView+ depends on / blocked
 
Reported: 2022-06-23 14:17 UTC by Marco Benatto
Modified: 2024-03-26 22:22 UTC (History)
121 users (show)

Fixed In Version: golang.org/x/text/language 0.3.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows an attacker to cause applications using this package to parse untrusted input data to crash, leading to a denial of service of the affected component.
Clone Of:
Environment:
Last Closed: 2023-01-27 21:22:27 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5070 0 None None None 2022-08-10 10:23:44 UTC
Red Hat Product Errata RHSA-2022:5525 0 None None None 2022-07-07 10:16:38 UTC
Red Hat Product Errata RHSA-2022:5556 0 None None None 2022-07-18 16:21:19 UTC
Red Hat Product Errata RHSA-2022:5908 0 None None None 2022-08-04 15:59:43 UTC
Red Hat Product Errata RHSA-2022:5909 0 None None None 2022-08-04 16:18:22 UTC
Red Hat Product Errata RHSA-2022:6051 0 None None None 2022-08-18 16:04:44 UTC
Red Hat Product Errata RHSA-2022:6263 0 None None None 2022-09-09 04:54:16 UTC
Red Hat Product Errata RHSA-2022:6287 0 None None None 2022-09-07 20:49:05 UTC
Red Hat Product Errata RHSA-2022:6318 0 None None None 2022-09-12 12:17:29 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:02:32 UTC
Red Hat Product Errata RHSA-2022:6526 0 None None None 2022-09-14 19:28:07 UTC
Red Hat Product Errata RHSA-2022:6537 0 None None None 2022-09-20 08:13:58 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:36:59 UTC
Red Hat Product Errata RHSA-2022:7401 0 None None None 2023-01-17 19:35:38 UTC
Red Hat Product Errata RHSA-2022:8750 0 None None None 2022-12-01 21:10:20 UTC
Red Hat Product Errata RHSA-2023:0245 0 None None None 2023-01-23 15:53:29 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:04 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:34:49 UTC
Red Hat Product Errata RHSA-2023:0566 0 None None None 2023-02-07 06:18:41 UTC
Red Hat Product Errata RHSA-2023:0652 0 None None None 2023-02-15 05:11:22 UTC
Red Hat Product Errata RHSA-2023:0774 0 None None None 2023-02-21 18:11:36 UTC
Red Hat Product Errata RHSA-2023:0890 0 None None None 2023-02-28 11:59:43 UTC
Red Hat Product Errata RHSA-2023:0895 0 None None None 2023-02-28 07:39:16 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:00 UTC
Red Hat Product Errata RHSA-2023:1328 0 None None None 2023-05-18 00:21:04 UTC
Red Hat Product Errata RHSA-2023:3542 0 None None None 2023-06-14 14:20:38 UTC
Red Hat Product Errata RHSA-2023:4310 0 None None None 2023-08-02 01:03:17 UTC

Description Marco Benatto 2022-06-23 14:17:27 UTC
Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.

Comment 2 Maxwell G 2022-06-24 22:37:54 UTC
golang-x-text in F34-Rawhide was updated to a patched version 5 months ago. I also just updated it in epel8. Please do not open bugs for this CVE against our packages.

Comment 9 errata-xmlrpc 2022-07-07 10:16:32 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.7

Via RHSA-2022:5525 https://access.redhat.com/errata/RHSA-2022:5525

Comment 37 errata-xmlrpc 2022-07-18 16:21:15 UTC
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:5556 https://access.redhat.com/errata/RHSA-2022:5556

Comment 39 Marco Benatto 2022-07-20 16:32:42 UTC
Upstream commit for this issue:
https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f

Comment 46 errata-xmlrpc 2022-08-04 15:59:36 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:5908 https://access.redhat.com/errata/RHSA-2022:5908

Comment 47 errata-xmlrpc 2022-08-04 16:18:17 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2022:5909 https://access.redhat.com/errata/RHSA-2022:5909

Comment 51 Vrinda 2022-08-09 02:48:15 UTC
*** Bug 2105594 has been marked as a duplicate of this bug. ***

Comment 52 errata-xmlrpc 2022-08-10 10:23:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5070 https://access.redhat.com/errata/RHSA-2022:5070

Comment 56 errata-xmlrpc 2022-08-18 16:04:39 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:6051 https://access.redhat.com/errata/RHSA-2022:6051

Comment 59 errata-xmlrpc 2022-09-06 13:02:25 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346

Comment 62 errata-xmlrpc 2022-09-07 20:48:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6287 https://access.redhat.com/errata/RHSA-2022:6287

Comment 63 errata-xmlrpc 2022-09-09 04:54:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:6263 https://access.redhat.com/errata/RHSA-2022:6263

Comment 64 errata-xmlrpc 2022-09-12 12:17:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6318 https://access.redhat.com/errata/RHSA-2022:6318

Comment 65 errata-xmlrpc 2022-09-14 19:28:00 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526

Comment 67 errata-xmlrpc 2022-09-20 08:13:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6537 https://access.redhat.com/errata/RHSA-2022:6537

Comment 72 errata-xmlrpc 2022-12-01 21:10:14 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750

Comment 86 errata-xmlrpc 2023-01-17 19:35:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7401 https://access.redhat.com/errata/RHSA-2022:7401

Comment 87 errata-xmlrpc 2023-01-17 19:36:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399

Comment 88 errata-xmlrpc 2023-01-23 15:53:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0245 https://access.redhat.com/errata/RHSA-2023:0245

Comment 89 errata-xmlrpc 2023-01-24 12:48:58 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 90 errata-xmlrpc 2023-01-24 13:34:44 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408

Comment 91 Product Security DevOps Team 2023-01-27 21:22:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-38561

Comment 92 errata-xmlrpc 2023-02-07 06:18:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0566 https://access.redhat.com/errata/RHSA-2023:0566

Comment 93 errata-xmlrpc 2023-02-15 05:11:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0652 https://access.redhat.com/errata/RHSA-2023:0652

Comment 94 errata-xmlrpc 2023-02-21 18:11:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0774 https://access.redhat.com/errata/RHSA-2023:0774

Comment 96 errata-xmlrpc 2023-02-28 07:39:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0895 https://access.redhat.com/errata/RHSA-2023:0895

Comment 97 errata-xmlrpc 2023-02-28 11:59:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0890 https://access.redhat.com/errata/RHSA-2023:0890

Comment 100 errata-xmlrpc 2023-05-17 22:30:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326

Comment 101 errata-xmlrpc 2023-05-18 00:20:58 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1328 https://access.redhat.com/errata/RHSA-2023:1328

Comment 104 errata-xmlrpc 2023-06-14 14:20:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:3542 https://access.redhat.com/errata/RHSA-2023:3542

Comment 105 errata-xmlrpc 2023-08-02 01:03:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:4310 https://access.redhat.com/errata/RHSA-2023:4310


Note You need to log in before you can comment on or make changes to this bug.