Bug 2107392 (CVE-2022-30633) - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
Summary: CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-30633
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2115482 Red Hat2115487 Red Hat2115490 2107393 Red Hat2109914 Red Hat2109915 Red Hat2109916 Red Hat2109917 2110330 Engineering2111001 Red Hat2111496 Red Hat2111746 Red Hat2111747 Red Hat2111758 Red Hat2111759 Red Hat2111760 Red Hat2111765 Red Hat2111766 Red Hat2111767 Red Hat2111786 Red Hat2112009 Red Hat2112010 Red Hat2115483 Red Hat2115484 Red Hat2115485 Red Hat2115486 Red Hat2115488 Red Hat2115489 Red Hat2115491 Red Hat2115492 Red Hat2115493 Red Hat2115494 Red Hat2115498 Red Hat2115499 Engineering2123509 Engineering2123510 Engineering2123514 Engineering2123748 Engineering2123750 Engineering2123754
Blocks: Embargoed2108717
TreeView+ depends on / blocked
 
Reported: 2022-07-14 21:42 UTC by Anten Skrabec
Modified: 2023-05-17 00:38 UTC (History)
198 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
Clone Of:
Environment:
Last Closed: 2023-05-17 00:38:59 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 16:00:11 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:36:49 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:05:14 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:05:08 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:54:32 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:17:39 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:38:37 UTC
Red Hat Product Errata RHSA-2022:6113 0 None None None 2022-08-18 15:12:17 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:42:24 UTC
Red Hat Product Errata RHSA-2022:6188 0 None None None 2022-08-25 11:22:27 UTC
Red Hat Product Errata RHSA-2022:6283 0 None None None 2022-08-31 18:50:07 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:35:57 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:04:01 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:59:56 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:44:23 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:30:53 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:25:17 UTC
Red Hat Product Errata RHSA-2022:7529 0 None None None 2022-11-08 09:30:06 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:08:09 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:58:49 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:50:11 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:36:04 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:40:33 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:09:32 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:19 UTC

Description Anten Skrabec 2022-07-14 21:42:36 UTC 
Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.
Comment 1 Anten Skrabec 2022-07-14 21:42:52 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107393]
Comment 6 Avinash Hanwate 2022-07-25 08:33:53 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110330]
Comment 16 errata-xmlrpc 2022-08-01 12:05:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 17 errata-xmlrpc 2022-08-01 16:05:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 18 errata-xmlrpc 2022-08-02 09:54:22 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 21 errata-xmlrpc 2022-08-10 11:38:30 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 22 errata-xmlrpc 2022-08-10 13:17:32 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 26 errata-xmlrpc 2022-08-18 15:12:08 UTC 
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113
Comment 27 errata-xmlrpc 2022-08-25 11:22:17 UTC 
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188
Comment 28 errata-xmlrpc 2022-08-31 18:49:59 UTC 
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283
Comment 29 errata-xmlrpc 2022-09-01 05:42:13 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 30 errata-xmlrpc 2022-09-06 12:59:45 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 31 errata-xmlrpc 2022-09-06 13:03:51 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 32 errata-xmlrpc 2022-09-06 13:44:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 33 errata-xmlrpc 2022-09-06 14:35:47 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 34 errata-xmlrpc 2022-09-06 22:30:43 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 41 errata-xmlrpc 2022-11-08 09:25:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 42 errata-xmlrpc 2022-11-08 09:29:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529
Comment 43 errata-xmlrpc 2022-11-15 10:07:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 48 errata-xmlrpc 2022-12-15 01:58:38 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 63 errata-xmlrpc 2023-01-24 12:49:59 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 64 errata-xmlrpc 2023-01-24 13:35:54 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 73 errata-xmlrpc 2023-03-06 18:40:22 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 77 errata-xmlrpc 2023-05-16 08:09:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 78 errata-xmlrpc 2023-05-16 08:14:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 80 Product Security DevOps Team 2023-05-17 00:38:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30633
Note You need to log in before you can comment on or make changes to this bug.