Bug 2184484 (CVE-2023-24537) - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
Summary: CVE-2023-24537 golang: go/parser: Infinite loop in parsing
Keywords:
Status: NEW
Alias: CVE-2023-24537
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2186206 2187315 2187316 2187317 2187318 2187319 2187322 2187323 2189037 2189038 2189045 2189048 2189051 2189054 2189056 2186205 2186207 2187314 2187320 2187321 2187325 2187326 2189039 2189040 2189041 2189042 2189043 2189044 2189046 2189047 2189049 2189050 2189052 2189055
Blocks: 2184485
TreeView+ depends on / blocked
 
Reported: 2023-04-04 20:26 UTC by Pedro Sampaio
Modified: 2023-09-14 10:17 UTC (History)
137 users (show)

Fixed In Version: golang 1.20.3, golang 1.19.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:32 UTC
Red Hat Product Errata RHSA-2023:3323 0 None None None 2023-05-25 12:26:09 UTC
Red Hat Product Errata RHSA-2023:3367 0 None None None 2023-06-07 01:51:01 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:23 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:40 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:43:08 UTC
Red Hat Product Errata RHSA-2023:3540 0 None None None 2023-06-13 15:32:36 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:57 UTC
Red Hat Product Errata RHSA-2023:3624 0 None None None 2023-06-15 09:48:19 UTC
Red Hat Product Errata RHSA-2023:3918 0 None None None 2023-06-29 00:59:14 UTC
Red Hat Product Errata RHSA-2023:3943 0 None None None 2023-06-29 14:32:47 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:36 UTC
Red Hat Product Errata RHSA-2023:4093 0 None None None 2023-07-20 17:28:59 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:36 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:56 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:53 UTC
Red Hat Product Errata RHSA-2023:4657 0 None None None 2023-08-23 00:18:04 UTC
Red Hat Product Errata RHSA-2023:4664 0 None None None 2023-08-16 14:09:47 UTC
Red Hat Product Errata RHSA-2023:4986 0 None None None 2023-09-06 07:56:25 UTC

Description Pedro Sampaio 2023-04-04 20:26:24 UTC 
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

References:

https://github.com/golang/go/issues/59180
https://github.com/golang/go/issues/59274
Comment 8 Avinash Hanwate 2023-04-24 05:19:44 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2189039]
Affects: fedora-all [bug 2189044]
Comment 15 errata-xmlrpc 2023-05-18 11:34:26 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 16 errata-xmlrpc 2023-05-25 12:26:03 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:3323 https://access.redhat.com/errata/RHSA-2023:3323
Comment 18 errata-xmlrpc 2023-06-05 14:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 19 errata-xmlrpc 2023-06-05 16:44:32 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 20 errata-xmlrpc 2023-06-05 23:43:02 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 21 errata-xmlrpc 2023-06-07 01:50:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
Comment 22 errata-xmlrpc 2023-06-13 15:32:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
Comment 25 errata-xmlrpc 2023-06-15 09:48:12 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624
Comment 26 errata-xmlrpc 2023-06-23 04:39:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 27 errata-xmlrpc 2023-06-29 00:59:08 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
Comment 28 errata-xmlrpc 2023-06-29 14:32:42 UTC 
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943
Comment 30 errata-xmlrpc 2023-07-10 08:51:29 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 33 errata-xmlrpc 2023-07-20 17:28:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
Comment 35 errata-xmlrpc 2023-08-03 14:12:50 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 36 errata-xmlrpc 2023-08-08 00:36:31 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 37 errata-xmlrpc 2023-08-14 01:02:47 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 38 errata-xmlrpc 2023-08-16 14:09:42 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664
Comment 39 errata-xmlrpc 2023-08-23 00:17:58 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:4657 https://access.redhat.com/errata/RHSA-2023:4657
Comment 40 errata-xmlrpc 2023-09-06 07:56:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:4986 https://access.redhat.com/errata/RHSA-2023:4986
Note You need to log in before you can comment on or make changes to this bug.