Bug 2132872 (CVE-2022-41715) - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
Summary: CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41715
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2138892 2132874 2132875 2133915 2133916 2133917 2133920 2133922 2133923 2133924 2133925 2133926 2133927 2134347 2134405 2134406 2134407 2134441 2134442 2134443 2134445 2134446 2134447 2134448 2134449 2134450 2134453 2134454 2134455 2134456 2134457 2134467 2134468 2134471 2134472 2134473 2134474 2134475 2134476 2134477 2134481 2134482 2134483 2134484 2134485 2134486 2134487 2134488 2134489 2134490 2134491 2134492 2134493 2134494 2134495 2134496 2134497 2134498 2134499 2134500 2134501 2135724 2135725 2135726 2135727 2136717 2136718 2136719 2136720 2136721 2136722 2136723 2136835 2136839 2136841 2136843 2136849 2138893 2168805
Blocks: 2132475
TreeView+ depends on / blocked
 
Reported: 2022-10-07 04:57 UTC by Avinash Hanwate
Modified: 2024-04-02 15:27 UTC (History)
126 users (show)

Fixed In Version: go 1.19.2, go 1.18.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
Clone Of:
Environment:
Last Closed: 2023-05-18 19:43:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:35 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:37:33 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:38:00 UTC
Red Hat Product Errata RHSA-2023:0264 0 None None None 2023-01-19 11:04:41 UTC
Red Hat Product Errata RHSA-2023:0328 0 None None None 2023-01-23 15:20:41 UTC
Red Hat Product Errata RHSA-2023:0445 0 None None None 2023-01-25 08:31:19 UTC
Red Hat Product Errata RHSA-2023:0446 0 None None None 2023-01-25 09:16:02 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:21:07 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:28:01 UTC
Red Hat Product Errata RHSA-2023:0631 0 None None None 2023-02-07 17:24:17 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:34 UTC
Red Hat Product Errata RHSA-2023:0708 0 None None None 2023-02-09 09:26:19 UTC
Red Hat Product Errata RHSA-2023:0709 0 None None None 2023-02-09 12:05:47 UTC
Red Hat Product Errata RHSA-2023:0727 0 None None None 2023-02-16 14:14:21 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:41:01 UTC
Red Hat Product Errata RHSA-2023:1079 0 None None None 2023-03-06 16:24:48 UTC
Red Hat Product Errata RHSA-2023:1174 0 None None None 2023-03-09 01:25:08 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:15 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:44:08 UTC
Red Hat Product Errata RHSA-2023:2167 0 None None None 2023-05-09 07:13:52 UTC
Red Hat Product Errata RHSA-2023:2204 0 None None None 2023-05-09 07:17:59 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:35:28 UTC
Red Hat Product Errata RHSA-2023:2592 0 None None None 2023-05-09 08:02:20 UTC
Red Hat Product Errata RHSA-2023:2780 0 None None None 2023-05-16 08:11:56 UTC
Red Hat Product Errata RHSA-2023:2784 0 None None None 2023-05-16 08:12:25 UTC
Red Hat Product Errata RHSA-2023:2866 0 None None None 2023-05-16 08:22:07 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:35 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:16:03 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:01:18 UTC
Red Hat Product Errata RHSA-2023:3664 0 None None None 2023-06-19 10:33:16 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:04 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:13 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:28:04 UTC

Description Avinash Hanwate 2022-10-07 04:57:59 UTC 
The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.

ref: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
Comment 1 Avinash Hanwate 2022-10-07 05:04:55 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2132874]
Affects: fedora-all [bug 2132875]
Comment 12 TEJ RATHI 2022-10-13 13:32:06 UTC 
References:
https://github.com/golang/go/issues/55949

Upstream Commits:
Master : https://github.com/golang/go/commit/c3c4aea55b404c2e6ef109ec6a345f4ccb877381
branch.go1.18 : https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997
branch.go1.19 : https://github.com/golang/go/commit/645abfe529dc325e16daa17210640c2907d1c17a
Comment 20 errata-xmlrpc 2022-12-08 07:37:54 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
Comment 37 errata-xmlrpc 2023-01-17 14:51:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
Comment 38 errata-xmlrpc 2023-01-17 19:37:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
Comment 39 errata-xmlrpc 2023-01-19 11:04:37 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
Comment 43 errata-xmlrpc 2023-01-23 15:20:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328
Comment 44 errata-xmlrpc 2023-01-25 08:31:12 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445
Comment 45 errata-xmlrpc 2023-01-25 09:15:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446
Comment 46 errata-xmlrpc 2023-01-30 17:21:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 54 errata-xmlrpc 2023-02-07 17:24:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0631 https://access.redhat.com/errata/RHSA-2023:0631
Comment 56 errata-xmlrpc 2023-02-09 02:17:28 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 57 errata-xmlrpc 2023-02-09 09:26:15 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708
Comment 58 errata-xmlrpc 2023-02-09 12:05:42 UTC 
This issue has been addressed in the following products:

  RHOSS-1.27-RHEL-8

Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709
Comment 60 errata-xmlrpc 2023-02-16 14:14:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727
Comment 62 errata-xmlrpc 2023-03-06 16:24:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1079 https://access.redhat.com/errata/RHSA-2023:1079
Comment 63 errata-xmlrpc 2023-03-06 18:40:55 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 64 errata-xmlrpc 2023-03-09 01:25:04 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174
Comment 67 errata-xmlrpc 2023-03-15 19:56:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 68 errata-xmlrpc 2023-03-30 00:44:03 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 69 errata-xmlrpc 2023-05-09 07:13:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167
Comment 70 errata-xmlrpc 2023-05-09 07:17:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204
Comment 71 errata-xmlrpc 2023-05-09 07:35:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 72 errata-xmlrpc 2023-05-09 08:02:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2592 https://access.redhat.com/errata/RHSA-2023:2592
Comment 75 errata-xmlrpc 2023-05-16 08:11:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780
Comment 76 errata-xmlrpc 2023-05-16 08:12:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784
Comment 77 errata-xmlrpc 2023-05-16 08:22:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2866 https://access.redhat.com/errata/RHSA-2023:2866
Comment 79 errata-xmlrpc 2023-05-18 02:55:29 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 80 errata-xmlrpc 2023-05-18 14:27:55 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 81 Product Security DevOps Team 2023-05-18 19:43:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41715
Comment 82 errata-xmlrpc 2023-06-15 16:01:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 84 errata-xmlrpc 2023-06-19 10:33:09 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3664 https://access.redhat.com/errata/RHSA-2023:3664
Comment 85 errata-xmlrpc 2023-06-22 19:51:57 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 86 errata-xmlrpc 2023-06-26 01:15:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
Comment 87 errata-xmlrpc 2023-07-10 08:51:06 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 90 errata-xmlrpc 2024-01-10 11:27:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Note You need to log in before you can comment on or make changes to this bug.