Bug 2292787 (CVE-2024-24790) - CVE-2024-24790 golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Summary: CVE-2024-24790 golang: net/netip: Unexpected behavior from Is methods for IPv...
Keywords:
Status: NEW
Alias: CVE-2024-24790
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2292919 2292929 2292931 2292932 2292933 2292936 2292937 2292940 2292941 2292963 2292964 2292965 2292966 2292967 2292969 2295971 2292918 2292934 2292935 2292938 2292939 2292960
Blocks: 2292754
TreeView+ depends on / blocked
 
Reported: 2024-06-17 22:04 UTC by Marco Benatto
Modified: 2024-07-24 18:53 UTC (History)
146 users (show)

Fixed In Version: golang 1.22.4, golang 1.21.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4490 0 None None None 2024-07-11 08:15:44 UTC
Red Hat Product Errata RHSA-2024:4212 0 None None None 2024-07-02 09:01:26 UTC
Red Hat Product Errata RHSA-2024:4237 0 None None None 2024-07-02 15:22:24 UTC
Red Hat Product Errata RHSA-2024:4613 0 None None None 2024-07-24 18:53:39 UTC
Red Hat Product Errata RHSA-2024:4697 0 None None None 2024-07-22 10:11:34 UTC

Description Marco Benatto 2024-06-17 22:04:09 UTC
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

http://www.openwall.com/lists/oss-security/2024/06/04/1
https://go.dev/cl/590316
https://go.dev/issue/67680
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://pkg.go.dev/vuln/GO-2024-2887

Comment 1 Marco Benatto 2024-06-18 16:45:15 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2292918]
Affects: fedora-all [bug 2292919]

Comment 23 Tom Sweeney 2024-06-18 19:42:46 UTC
This looks like it will be fixed in the next version of Golang 1.22 and 1.21.  I believe that will be Go 1.22.5 and 1.21.12.  Can someone from ProdSec or the Go team verify this, please, and add a "Fixed in Version" to this BZ?

Comment 28 errata-xmlrpc 2024-07-02 09:01:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4212 https://access.redhat.com/errata/RHSA-2024:4212

Comment 29 errata-xmlrpc 2024-07-02 15:22:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4237 https://access.redhat.com/errata/RHSA-2024:4237

Comment 30 errata-xmlrpc 2024-07-22 10:11:24 UTC
This issue has been addressed in the following products:

  Cryostat 3 on RHEL 8

Via RHSA-2024:4697 https://access.redhat.com/errata/RHSA-2024:4697

Comment 31 errata-xmlrpc 2024-07-24 18:53:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613


Note You need to log in before you can comment on or make changes to this bug.