Bug 1204023 (CVE-2022-41715) - VUL-0: CVE-2022-41715: go1.18,go1.19: regexp/syntax: limit memory used by parsing regexps
Summary: VUL-0: CVE-2022-41715: go1.18,go1.19: regexp/syntax: limit memory used by par...
Status: RESOLVED FIXED
Alias: CVE-2022-41715
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/344233/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-41715:6.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-04 21:14 UTC by Jeff Kowalczyk
Modified: 2024-08-05 16:20 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-10-04 21:14:35 UTC 
The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
Comment 1 OBSbugzilla Bot 2022-10-05 03:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1204023) was mentioned in
https://build.opensuse.org/request/show/1008077 Factory / go1.18
https://build.opensuse.org/request/show/1008078 Factory / go1.19
Comment 3 Swamp Workflow Management 2022-10-20 01:20:23 UTC 
SUSE-SU-2022:3669-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1200441,1204023,1204024,1204025
CVE References: CVE-2022-2879,CVE-2022-2880,CVE-2022-41715
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.2-150000.1.12.1
openSUSE Leap 15.3 (src):    go1.19-1.19.2-150000.1.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.2-150000.1.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.2-150000.1.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-10-20 01:21:25 UTC 
SUSE-SU-2022:3668-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1193742,1204023,1204024,1204025
CVE References: CVE-2022-2879,CVE-2022-2880,CVE-2022-41715
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.7-150000.1.34.1
openSUSE Leap 15.3 (src):    go1.18-1.18.7-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.7-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.7-150000.1.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Marcus Meissner 2022-12-05 14:20:13 UTC 
done
Comment 6 Marcus Meissner 2023-02-20 08:36:57 UTC 
*** Bug 1208441 has been marked as a duplicate of this bug. ***
Comment 7 Maintenance Automation 2023-05-11 20:30:10 UTC 
SUSE-SU-2023:2183-1: An update that solves four vulnerabilities, contains four features and has eight fixes can now be installed.

Category: security (important)
Bug References: 1047218, 1197284, 1203185, 1203599, 1204023, 1208049, 1208051, 1208060, 1208062, 1208064, 1208965, 1209113
CVE References: CVE-2022-27191, CVE-2022-27664, CVE-2022-41715, CVE-2022-46146
Jira References: MSQA-663, MSQA-665, PED-3576, PED-3578
Sources used:
SUSE OpenStack Cloud 9 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE OpenStack Cloud Crowbar 9 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Manager Client Tools for SLE 12 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4, golang-github-prometheus-prometheus-2.37.6-1.44.3, prometheus-postgres_exporter-0.10.1-1.11.5, golang-github-prometheus-promu-0.14.0-1.12.1, golang-github-prometheus-alertmanager-0.23.0-1.18.3, prometheus-blackbox_exporter-0.19.0-1.17.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): golang-github-prometheus-node_exporter-1.5.0-1.24.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-05-11 20:30:16 UTC 
SUSE-SU-2023:2182-1: An update that solves two vulnerabilities, contains three features and has five fixes can now be installed.

Category: security (important)
Bug References: 1203599, 1204023, 1208049, 1208060, 1208062, 1208965, 1209113
CVE References: CVE-2022-41715, CVE-2022-46146
Jira References: MSQA-663, MSQA-665, PED-3576
Sources used:
openSUSE Leap 15.4 (src): prometheus-postgres_exporter-0.10.1-150000.1.11.4, prometheus-blackbox_exporter-0.19.0-150000.1.17.2, golang-github-prometheus-promu-0.14.0-150000.3.12.2
SUSE Manager Client Tools for SLE 15 (src): prometheus-postgres_exporter-0.10.1-150000.1.11.4, golang-github-prometheus-prometheus-2.37.6-150000.3.47.2, prometheus-blackbox_exporter-0.19.0-150000.1.17.2
SUSE Manager Client Tools for SLE Micro 5 (src): prometheus-blackbox_exporter-0.19.0-150000.1.17.2
SUSE Manager Proxy 4.2 Module 4.2 (src): prometheus-blackbox_exporter-0.19.0-150000.1.17.2
SUSE Manager Proxy 4.3 Module 4.3 (src): prometheus-blackbox_exporter-0.19.0-150000.1.17.2
SUSE Manager Server 4.2 Module 4.2 (src): prometheus-postgres_exporter-0.10.1-150000.1.11.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-05-30 08:30:07 UTC 
SUSE-SU-2023:2312-1: An update that solves 28 vulnerabilities, contains one feature and has three fixes can now be installed.

Category: security (important)
Bug References: 1183043, 1193742, 1198423, 1198424, 1198427, 1199413, 1200134, 1200135, 1200136, 1200137, 1201434, 1201436, 1201437, 1201440, 1201443, 1201444, 1201445, 1201447, 1201448, 1202035, 1203185, 1204023, 1204024, 1204025, 1204941, 1206134, 1206135, 1208270, 1208271, 1208272, 1208491
CVE References: CVE-2022-1705, CVE-2022-1962, CVE-2022-24675, CVE-2022-27536, CVE-2022-27664, CVE-2022-28131, CVE-2022-28327, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
openSUSE Leap 15.5 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
Development Tools Module 15-SP4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Enterprise Storage 7.1 (src): go1.18-openssl-1.18.10.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-02-15 16:32:02 UTC 
SUSE-SU-2024:0487-1: An update that solves eight vulnerabilities and contains one feature can now be installed.

Category: security (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2021-43798, CVE-2021-43815, CVE-2022-0155, CVE-2022-41715
Jira References: MSQA-719
Sources used:
openSUSE Leap 15.5 (src): golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1, spacecmd-4.3.26-150000.3.113.1, prometheus-postgres_exporter-0.10.1-150000.1.17.1
SUSE Manager Client Tools for SLE 15 (src): spacewalk-client-tools-4.3.18-150000.3.86.2, mgr-daemon-4.3.8-150000.1.44.1, uyuni-proxy-systemd-services-4.3.10-150000.1.15.1, spacecmd-4.3.26-150000.3.113.1, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1, golang-github-prometheus-prometheus-2.45.0-150000.3.53.1, grafana-9.5.8-150000.1.60.2, prometheus-postgres_exporter-0.10.1-150000.1.17.1
SUSE Manager Client Tools for SLE Micro 5 (src): uyuni-proxy-systemd-services-4.3.10-150000.1.15.1
SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1
SUSE Manager Server 4.3 Module 4.3 (src): golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2024-02-15 16:32:07 UTC 
SUSE-SU-2024:0486-1: An update that solves nine vulnerabilities and contains two features can now be installed.

Category: security (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218838, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2021-43798, CVE-2021-43815, CVE-2022-0155, CVE-2022-41715, CVE-2023-40577
Jira References: MSQA-719, PED-7353
Sources used:
SUSE Manager Client Tools for SLE 12 (src): spacewalk-client-tools-4.3.18-52.95.2, mgr-daemon-4.3.8-1.44.2, golang-github-prometheus-alertmanager-0.26.0-1.24.2, golang-github-lusitaniae-apache_exporter-1.0.0-1.21.2, grafana-9.5.8-1.60.1, spacecmd-4.3.26-38.136.2, golang-github-prometheus-prometheus-2.45.0-1.50.2, prometheus-postgres_exporter-0.10.1-1.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-02-27 11:36:51 UTC 
SUSE-SU-2023:2598-1: An update that solves three vulnerabilities and contains two features can now be installed.

Category: security (important)
Bug References: 1204023, 1208049, 1208298
CVE References: CVE-2022-41715, CVE-2022-41723, CVE-2022-46146
Jira References: MSQA-665, PED-3576
Sources used:
openSUSE Leap 15.4 (src): golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
openSUSE Leap 15.5 (src): golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
SUSE Package Hub 15 15-SP5 (src): golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
SUSE Manager Proxy 4.2 Module 4.2 (src): golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-prometheus-prometheus-2.37.6-150100.4.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-03-04 12:30:09 UTC 
SUSE-RU-2024:0746-1: An update that contains two features and has nine fixes can now be installed.

Category: recommended (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218838, 1218843, 1218844
Jira References: MSQA-720, PED-7843
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): golang-github-prometheus-prometheus-2.45.0-4.36.1, spacewalk-client-tools-5.0.3-55.48.1, supportutils-plugin-susemanager-client-5.0.2-9.18.1, rhnlib-5.0.2-24.33.1, uyuni-tools-0.1.4-3.3.1, golang-github-prometheus-alertmanager-0.26.0-4.15.1, uyuni-common-libs-5.0.2-3.36.1, grafana-9.5.8-4.24.1, spacecmd-5.0.4-41.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-03-04 12:30:14 UTC 
SUSE-RU-2024:0745-1: An update that contains two features and has eight fixes can now be installed.

Category: recommended (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218843, 1218844
Jira References: MSQA-720, PED-7843
Sources used:
SUSE Manager Client Tools Beta for SLE 15 (src): supportutils-plugin-susemanager-client-5.0.2-159000.6.18.1, grafana-9.5.8-159000.4.27.1, uyuni-tools-0.1.4-159000.3.3.1, uyuni-common-libs-5.0.2-159000.3.36.1, golang-github-prometheus-prometheus-2.45.0-159000.6.36.1, spacecmd-5.0.4-159000.6.45.1, spacewalk-client-tools-5.0.3-159000.6.51.1, rhnlib-5.0.2-159000.6.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.