Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 857822 (CVE-2022-1705, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148)

Summary: <dev-lang/go-{1.17.12,1.18.4}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE/m/3SeTTJs9AwAJ
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 858086    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-12 21:57:21 UTC
From URL:

"net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616."

Please bump to 1.18.4 and 1.17.12.
Comment 1 Larry the Git Cow gentoo-dev 2022-07-14 20:21:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdf476b2d38439f8d6a0e5c2ad06fbb8e8cc82f9

commit bdf476b2d38439f8d6a0e5c2ad06fbb8e8cc82f9
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-07-14 20:21:02 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-07-14 20:21:41 +0000

    dev-lang/go: add 1.17.12, 1.18.4
    
    Bug: https://bugs.gentoo.org/857822
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.17.12.ebuild | 196 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.18.4.ebuild  | 196 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 394 insertions(+)
Comment 2 William Hubbs gentoo-dev 2022-07-14 20:22:33 UTC
*** Bug 857177 has been marked as a duplicate of this bug. ***
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 01:36:58 UTC
Thanks! Please stable when ready.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-19 21:15:02 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-08-01 22:56:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63e7f2d9f00b58e5ed4346a0d9f9411d42a4429c

commit 63e7f2d9f00b58e5ed4346a0d9f9411d42a4429c
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-08-01 22:54:59 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-08-01 22:54:59 +0000

    dev-lang/go: drop 1.17.11, 1.18.3
    
    Bug: https://bugs.gentoo.org/857822
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 -
 dev-lang/go/go-1.17.11.ebuild | 196 ------------------------------------------
 dev-lang/go/go-1.18.3.ebuild  | 196 ------------------------------------------
 3 files changed, 394 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-08-04 14:02:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:12:35 UTC
GLSA released, all done!