Bug 2113814 (CVE-2022-32189) - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Summary: CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can pan...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32189
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering2113951 Red Hat2118439 Red Hat2118440 Red Hat2118444 Red Hat2118450 Red Hat2118453 Red Hat2118454 Red Hat2134427 2113815 2113816 Red Hat2115724 Red Hat2115725 Red Hat2115726 Red Hat2115727 Red Hat2116750 Red Hat2116751 Red Hat2116752 Red Hat2116753 Red Hat2116754 Red Hat2116755 Red Hat2116756 Red Hat2116757 Red Hat2116758 Red Hat2116759 Red Hat2116760 Red Hat2116761 Red Hat2116762 Red Hat2116763 Red Hat2116764 Red Hat2116765 Red Hat2116766 Red Hat2116767 Red Hat2116768 Red Hat2116769 Red Hat2116770 Red Hat2116771 Red Hat2116772 Red Hat2116773 Red Hat2116774 Red Hat2116775 Red Hat2116776 Red Hat2116777 Red Hat2116778 Red Hat2116779 Red Hat2116780 Red Hat2116781 Red Hat2116782 Red Hat2116783 Red Hat2116784 Red Hat2116785 Red Hat2116786 Red Hat2116787 Red Hat2118437 Red Hat2118438 Red Hat2118441 Red Hat2118442 Red Hat2118443 Red Hat2118445 Red Hat2118446 Red Hat2118447 Red Hat2118448 Red Hat2118449 Red Hat2118451 Red Hat2118452 Red Hat2118455 Engineering2118456 Red Hat2118457 Red Hat2134428 Red Hat2168805
Blocks: Embargoed2113817
TreeView+ depends on / blocked
 
Reported: 2022-08-02 05:21 UTC by TEJ RATHI
Modified: 2023-05-18 19:12 UTC (History)
149 users (show)

Fixed In Version: golang 1.17.13, golang 1.18.5
Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
Clone Of:
Environment:
Last Closed: 2023-05-18 19:12:07 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:31:57 UTC
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:16 UTC
Red Hat Product Errata RHSA-2022:7548 0 None None None 2022-11-08 09:33:27 UTC
Red Hat Product Errata RHSA-2022:7950 0 None None None 2022-11-15 09:47:22 UTC
Red Hat Product Errata RHSA-2022:8534 0 None None None 2022-11-24 04:08:58 UTC
Red Hat Product Errata RHSA-2022:8535 0 None None None 2022-11-24 04:14:15 UTC
Red Hat Product Errata RHSA-2022:8626 0 None None None 2022-11-28 20:43:45 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:37:43 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:20:54 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:27:47 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:30 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:03 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:51 UTC
Red Hat Product Errata RHSA-2023:2193 0 None None None 2023-05-09 07:15:56 UTC
Red Hat Product Errata RHSA-2023:2236 0 None None None 2023-05-09 07:20:22 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:35:13 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:09:45 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:18 UTC
Red Hat Product Errata RHSA-2023:3204 0 None None None 2023-05-18 00:36:30 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:18 UTC

Description TEJ RATHI 2022-08-02 05:21:23 UTC 
A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

References:
https://go.dev/issue/53871
https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU

Upstream Commits:
Master : https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66
Branch.go1.17 : https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102
Branch.go1.18 : https://github.com/golang/go/commit/9240558e4f342fc6e98fec22de17c04b45089349
Comment 1 TEJ RATHI 2022-08-02 05:23:50 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2113816]
Affects: fedora-all [bug 2113815]
Comment 9 errata-xmlrpc 2022-10-25 09:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 12 errata-xmlrpc 2022-11-08 09:33:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7548 https://access.redhat.com/errata/RHSA-2022:7548
Comment 14 errata-xmlrpc 2022-11-15 09:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7950 https://access.redhat.com/errata/RHSA-2022:7950
Comment 20 errata-xmlrpc 2022-11-24 04:08:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8534 https://access.redhat.com/errata/RHSA-2022:8534
Comment 21 errata-xmlrpc 2022-11-24 04:14:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8535 https://access.redhat.com/errata/RHSA-2022:8535
Comment 24 errata-xmlrpc 2022-11-28 20:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626
Comment 25 errata-xmlrpc 2022-12-08 07:37:37 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
Comment 44 errata-xmlrpc 2023-01-17 14:51:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
Comment 45 errata-xmlrpc 2023-01-30 17:20:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 53 errata-xmlrpc 2023-02-09 02:17:24 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 57 errata-xmlrpc 2023-03-15 19:55:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 58 errata-xmlrpc 2023-03-30 00:43:44 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 62 errata-xmlrpc 2023-05-09 07:15:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2193 https://access.redhat.com/errata/RHSA-2023:2193
Comment 63 errata-xmlrpc 2023-05-09 07:20:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2236 https://access.redhat.com/errata/RHSA-2023:2236
Comment 64 errata-xmlrpc 2023-05-09 07:35:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 67 errata-xmlrpc 2023-05-16 08:09:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 68 errata-xmlrpc 2023-05-16 08:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 70 errata-xmlrpc 2023-05-18 00:36:23 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204
Comment 71 errata-xmlrpc 2023-05-18 02:55:10 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 72 errata-xmlrpc 2023-05-18 14:27:39 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 73 Product Security DevOps Team 2023-05-18 19:11:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32189
Note You need to log in before you can comment on or make changes to this bug.