834635 – (CVE-2022-24921) <dev-lang/go-1.17.8: regexp.Compile stack exhaustion via deeply nested expression

Bug 834635 (CVE-2022-24921) - <dev-lang/go-1.17.8: regexp.Compile stack exhaustion via deeply nested expression

Summary: <dev-lang/go-1.17.8: regexp.Compile stack exhaustion via deeply nested expres...

Status:	RESOLVED FIXED

Alias:	CVE-2022-24921

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://groups.google.com/g/golang-an...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	835383
Blocks:
	Show dependency tree

Reported:	2022-03-05 22:03 UTC by John Helmert III
Modified:	2022-08-04 14:04 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-03-05 22:03:37 UTC

CVE-2022-24921:

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Comment 1 Larry the Git Cow gentoo-dev

2022-03-15 14:50:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=224dde94c574def3115f28b7bb373c2d22e9e31e

commit 224dde94c574def3115f28b7bb373c2d22e9e31e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-15 14:48:12 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-15 14:49:05 +0000

    dev-lang/go: add 1.17.8
    
    Bug: https://bugs.gentoo.org/834635
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.8.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

Comment 2 John Helmert III archtester

2022-03-15 15:10:25 UTC

Thanks! Please stable if suitable

Comment 3 Larry the Git Cow gentoo-dev

2022-03-27 06:29:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7cf4bbfefa8561c12a2ef01f410b6cd9b0a283a

commit c7cf4bbfefa8561c12a2ef01f410b6cd9b0a283a
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-27 06:29:04 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-27 06:29:21 +0000

    dev-lang/go: drop 1.17.7
    
    Bug: https://bugs.gentoo.org/834635
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.17.7.ebuild | 196 -------------------------------------------
 2 files changed, 197 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2022-08-04 14:02:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 5 John Helmert III archtester

2022-08-04 14:04:32 UTC

GLSA released, all done!