Bug 2107371 (CVE-2022-30630) - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
Summary: CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-30630
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2115934 2107372 2109914 2109915 2109916 2109917 2110276 2110355 2111001 2111496 2111746 2111747 2111752 2111753 2111758 2111759 2111760 2111765 2111766 2111767 2111772 2111773 2111774 2111775 2111782 2111783 2111786 2111789 2111790 2111791 2111792 2111796 2111797 2111798 2111803 2111805 2111806 2111807 2111808 2111816 2111821 2111822 2111823 2111826 2111827 2111828 2111829 2111830 2111831 2111833 2112009 2112010 2115932 2115933 2115935 2115936 2115937 2115938 2115939 2115940 2115941 2115942 2115943 2115944 2115945 2115946 2115947 2115948 2115949 2115950 2115951 2115952 2123509 2123510 2123514 2123748 2123750 2123754 2134423 2134424 2168805
Blocks: 2106609
TreeView+ depends on / blocked
 
Reported: 2022-07-14 20:30 UTC by Anten Skrabec
Modified: 2024-01-11 16:16 UTC (History)
281 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
Clone Of:
Environment:
Last Closed: 2023-05-16 23:46:17 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 15:59:33 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:35:54 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:04:11 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:04:08 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:53:37 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:16:17 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:37:30 UTC
Red Hat Product Errata RHSA-2022:6113 0 None None None 2022-08-18 15:10:36 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:41:21 UTC
Red Hat Product Errata RHSA-2022:6188 0 None None None 2022-08-25 11:21:21 UTC
Red Hat Product Errata RHSA-2022:6283 0 None None None 2022-08-31 18:49:34 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:33:50 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:03:00 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:58:47 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:43:07 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:29:56 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:25 UTC
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:29:56 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:26:04 UTC
Red Hat Product Errata RHSA-2022:7529 0 None None None 2022-11-08 09:28:54 UTC
Red Hat Product Errata RHSA-2022:7648 0 None None None 2022-11-08 10:00:21 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:06:44 UTC
Red Hat Product Errata RHSA-2022:8098 0 None None None 2022-11-15 10:15:18 UTC
Red Hat Product Errata RHSA-2022:8250 0 None None None 2022-11-15 10:43:49 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:57:51 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:23 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:35:11 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:39:31 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:55:31 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:33 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:34:41 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:08:44 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:50 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:33 UTC

Description Anten Skrabec 2022-07-14 20:30:29 UTC
Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

Comment 1 Anten Skrabec 2022-07-14 20:30:44 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107372]

Comment 2 Vitaly Zaitsev 2022-07-15 06:56:16 UTC
Why did you add me and all these people as CCs to this ticket?

Comment 5 Anten Skrabec 2022-07-18 19:30:13 UTC
In reply to comment #2:
> Why did you add me and all these people as CCs to this ticket?

No idea why that happened. This bug was created through tooling, I'll report a bug.

Comment 11 Avinash Hanwate 2022-07-25 09:58:29 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110355]

Comment 33 errata-xmlrpc 2022-08-01 12:03:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775

Comment 34 errata-xmlrpc 2022-08-01 16:03:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799

Comment 35 errata-xmlrpc 2022-08-02 09:53:24 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866

Comment 37 errata-xmlrpc 2022-08-10 11:37:18 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 38 errata-xmlrpc 2022-08-10 13:16:04 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040

Comment 40 errata-xmlrpc 2022-08-18 15:10:26 UTC
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113

Comment 41 errata-xmlrpc 2022-08-25 11:21:07 UTC
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188

Comment 42 errata-xmlrpc 2022-08-31 18:49:21 UTC
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283

Comment 43 errata-xmlrpc 2022-09-01 05:41:11 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152

Comment 44 errata-xmlrpc 2022-09-06 12:58:34 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347

Comment 45 errata-xmlrpc 2022-09-06 13:02:45 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346

Comment 46 errata-xmlrpc 2022-09-06 13:42:51 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348

Comment 47 errata-xmlrpc 2022-09-06 14:33:40 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345

Comment 48 errata-xmlrpc 2022-09-06 22:29:43 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370

Comment 49 errata-xmlrpc 2022-09-13 02:10:11 UTC
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430

Comment 54 errata-xmlrpc 2022-10-25 09:29:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129

Comment 58 errata-xmlrpc 2022-11-08 09:25:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519

Comment 59 errata-xmlrpc 2022-11-08 09:28:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529

Comment 60 errata-xmlrpc 2022-11-08 10:00:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648

Comment 61 errata-xmlrpc 2022-11-15 10:06:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057

Comment 62 errata-xmlrpc 2022-11-15 10:15:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8098 https://access.redhat.com/errata/RHSA-2022:8098

Comment 63 errata-xmlrpc 2022-11-15 10:43:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250

Comment 68 errata-xmlrpc 2022-12-15 01:57:43 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047

Comment 83 errata-xmlrpc 2023-01-24 12:49:11 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 84 errata-xmlrpc 2023-01-24 13:34:58 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408

Comment 95 errata-xmlrpc 2023-03-06 18:39:19 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042

Comment 97 errata-xmlrpc 2023-03-15 19:55:19 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275

Comment 98 errata-xmlrpc 2023-03-30 00:43:19 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529

Comment 99 errata-xmlrpc 2023-05-09 07:34:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357

Comment 103 errata-xmlrpc 2023-05-16 08:08:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758

Comment 104 errata-xmlrpc 2023-05-16 08:14:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802

Comment 106 Product Security DevOps Team 2023-05-16 23:46:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30630

Comment 107 errata-xmlrpc 2023-06-15 16:00:15 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642


Note You need to log in before you can comment on or make changes to this bug.