Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 834635 (CVE-2022-24921) - <dev-lang/go-1.17.8: regexp.Compile stack exhaustion via deeply nested expression
Summary: <dev-lang/go-1.17.8: regexp.Compile stack exhaustion via deeply nested expres...
Status: RESOLVED FIXED
Alias: CVE-2022-24921
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/g/golang-an...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 835383
Blocks:
  Show dependency tree
 
Reported: 2022-03-05 22:03 UTC by John Helmert III
Modified: 2022-08-04 14:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-05 22:03:37 UTC
CVE-2022-24921:

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-15 14:50:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=224dde94c574def3115f28b7bb373c2d22e9e31e

commit 224dde94c574def3115f28b7bb373c2d22e9e31e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-15 14:48:12 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-15 14:49:05 +0000

    dev-lang/go: add 1.17.8
    
    Bug: https://bugs.gentoo.org/834635
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.17.8.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-15 15:10:25 UTC
Thanks! Please stable if suitable
Comment 3 Larry the Git Cow gentoo-dev 2022-03-27 06:29:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7cf4bbfefa8561c12a2ef01f410b6cd9b0a283a

commit c7cf4bbfefa8561c12a2ef01f410b6cd9b0a283a
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-27 06:29:04 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-27 06:29:21 +0000

    dev-lang/go: drop 1.17.7
    
    Bug: https://bugs.gentoo.org/834635
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.17.7.ebuild | 196 -------------------------------------------
 2 files changed, 197 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2022-08-04 14:02:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:04:32 UTC
GLSA released, all done!