Bug 1208854

Summary:	VUL-0: CVE-2022-41727: amazon-ssm-agent,terraform-provider-aws,terraform-provider-azurerm,terraform-provider-helm,terraform-provider-null: golang.org/x/image: Uncontrolled Resource Consumption
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Cathy Hu <cathy.hu>
Component:	Incidents	Assignee:	SUSE Public Cloud Maintainer <public-cloud-maintainers>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P5 - None	CC:	adrian.glaubitz, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/358717/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1208853

Description Cathy Hu 2023-03-02 14:57:53 UTC

+++ This bug was initially created as a clone of Bug #1208853 +++

CVE-2022-41727

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

https://go.dev/cl/468195
https://go.dev/issue/58003
https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o
https://pkg.go.dev/vuln/GO-2023-1572

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41727
https://bugzilla.redhat.com/show_bug.cgi?id=2174311
https://www.cve.org/CVERecord?id=CVE-2022-41727
https://go.dev/cl/468195
https://go.dev/issue/58003
https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o
https://pkg.go.dev/vuln/GO-2023-1572

Comment 1 Cathy Hu 2023-03-02 15:03:03 UTC

Our scanners show golang.org/x/image with version < 0.5.0 embedded in:

- SUSE:SLE-12:Update/amazon-ssm-agent                                       
- SUSE:SLE-15:Update/amazon-ssm-agent                                       
- openSUSE:Factory/amazon-ssm-agent

- SUSE:SLE-15-SP1:Update/terraform-provider-aws                             
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/terraform-provider-aws      
- openSUSE:Factory/terraform-provider-aws

- SUSE:SLE-15-SP1:Update/terraform-provider-azurerm                         
- SUSE:SLE-15-SP2:Update/terraform-provider-azurerm                         
- openSUSE:Factory/terraform-provider-azurerm

- SUSE:SLE-15-SP1:Update/terraform-provider-helm                            
- SUSE:SLE-15-SP2:Update/terraform-provider-helm                            
- openSUSE:Factory/terraform-provider-helm

- SUSE:SLE-15-SP2:Update/terraform-provider-null                            
- openSUSE:Factory/terraform-provider-null

- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/terraform-provider-vsphere  
- openSUSE:Backports:SLE-15-SP4/terraform-provider-vsphere                  
- openSUSE:Factory/terraform-provider-vsphere

Comment 2 Cathy Hu 2023-03-02 15:13:10 UTC

terraform-provider-vsphere would be for coldpool, please ignore that one

Comment 3 John Paul Adrian Glaubitz 2023-03-02 15:19:55 UTC

(In reply to Hu from comment #1)
> Our scanners show golang.org/x/image with version < 0.5.0 embedded in:
> 
> - SUSE:SLE-12:Update/amazon-ssm-agent                                       
> - SUSE:SLE-15:Update/amazon-ssm-agent                                       
> - openSUSE:Factory/amazon-ssm-agent

Hmm, I just checked these and I don't see any x/image source code there.

Comment 4 Cathy Hu 2023-03-02 15:56:28 UTC

It seems to be an indirect dependency, it is listed in the go.sum. 

I will talk to the scanner dev and check the rest manually again, sorry for the noise

Comment 5 Cathy Hu 2023-03-02 16:14:52 UTC

Okay i checked, they were all false positives, sorry for the noise. Closing