1206711 – (CVE-2021-38561) VUL-0: CVE-2021-38561: go1.19,cni,go1.18: out-of-bounds read in golang.org/x/text/language leads to DoS

Bug 1206711 (CVE-2021-38561) - VUL-0: CVE-2021-38561: go1.19,cni,go1.18: out-of-bounds read in golang.org/x/text/language leads to DoS

Summary: VUL-0: CVE-2021-38561: go1.19,cni,go1.18: out-of-bounds read in golang.org/x/...

Status:	RESOLVED FIXED

Alias:	CVE-2021-38561

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Andrea Manzini
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/335344/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-12-27 09:43 UTC by Thomas Leroy
Modified:	2023-02-20 10:49 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-12-27 09:43:50 UTC

rh#2100495

Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.

Upstream fix in golang/text:, introduced in v0.3.7
https://github.com/golang/text/commit/383b2e75a7a4198c42f8f87833eefb772868a56f

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2100495
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38561
https://access.redhat.com/errata/RHSA-2022:5556.html
https://access.redhat.com/errata/RHSA-2022:5909.html
https://access.redhat.com/errata/RHSA-2022:5908.html
https://access.redhat.com/errata/RHSA-2022:6318.html
https://access.redhat.com/errata/RHSA-2022:6287.html
https://access.redhat.com/errata/RHSA-2022:6263.html
https://access.redhat.com/errata/RHSA-2022:5525.html
https://www.cve.org/CVERecord?id=CVE-2021-38561
https://groups.google.com/g/golang-announce
https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
https://deps.dev/advisory/OSV/GO-2021-0113
https://pkg.go.dev/golang.org/x/text/language

Comment 1 Thomas Leroy 2022-12-27 09:57:17 UTC

go packages are already fixed, and cni packages in SUSE codestreams are not affected.
However, openSUSE:Factory/cni ships a vulnerable version of golang/x/text, but upstream main branch is affected too.

So only openSUSE:Factory/cni should be affected.

Andrea, I reassign the bug to you because you are the last one having updated openSUSE:Factory/cni, feel free to reassign to someone else if there is someone more accurate :)

Comment 2 Andrea Manzini 2022-12-29 14:18:06 UTC

opened upstream issue: https://github.com/containernetworking/cni/issues/939

Comment 3 Andrea Manzini 2022-12-30 12:48:04 UTC

submitted https://build.opensuse.org/request/show/1045814 to include upstream patch in openSUSE:Factory/cni

Comment 4 OBSbugzilla Bot 2023-01-09 10:35:03 UTC

This is an autogenerated message for OBS integration:
This bug (1206711) was mentioned in
https://build.opensuse.org/request/show/1057017 Factory / cni

Comment 5 Andrea Manzini 2023-02-20 10:49:09 UTC

fixed with upstream patch