Bug 915555 (CVE-2023-39325)

Summary:	<dev-lang/go-{1.20.10,1.21.3}: rapid stream resets can cause excessive work
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
Whiteboard:	A3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	915900
Bug Blocks:	915553

Description Hans de Graaff gentoo-dev

2023-10-10 17:12:13 UTC

A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.

HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.

This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.

Comment 1 Sebastian Pipping gentoo-dev

2023-10-12 13:19:00 UTC

Adding package dev-lang/go to the title and its maintainer to CC…

Comment 2 Sebastian Pipping gentoo-dev

2023-10-12 13:30:35 UTC

Bumping dev-lang/go to 1.21.3 and 1.20.10 is enough to fix the issue according to https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo .

Comment 3 Larry the Git Cow gentoo-dev

2023-10-17 17:53:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94aaf10bbb97211efdffb001a4be8852cd65d6ff

commit 94aaf10bbb97211efdffb001a4be8852cd65d6ff
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-10-17 17:53:17 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-10-17 17:53:27 +0000

    dev-lang/go: add 1.21.3
    
    Bug: https://bugs.gentoo.org/915555
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.21.3.ebuild | 210 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d31735413519485d5f4f0c1fde48a41f6820059

commit 4d31735413519485d5f4f0c1fde48a41f6820059
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-10-17 17:52:05 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-10-17 17:53:27 +0000

    dev-lang/go: add 1.20.10
    
    Bug: https://bugs.gentoo.org/915555
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   1 +
 dev-lang/go/go-1.20.10.ebuild | 210 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2023-11-25 08:57:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c

commit 7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-25 08:56:49 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-25 08:57:21 +0000

    [ GLSA 202311-09 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/873637
    Bug: https://bugs.gentoo.org/883783
    Bug: https://bugs.gentoo.org/894478
    Bug: https://bugs.gentoo.org/903979
    Bug: https://bugs.gentoo.org/908255
    Bug: https://bugs.gentoo.org/915555
    Bug: https://bugs.gentoo.org/916494
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-09.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)