Bug 1210128 (CVE-2023-24536) - VUL-0: CVE-2023-24536: go1.19,go1.20: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
Summary: VUL-0: CVE-2023-24536: go1.19,go1.20: net/http, net/textproto, mime/multipart...
Status: RESOLVED FIXED
Alias: CVE-2023-24536
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/362386/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-24536:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-05 01:45 UTC by Jeff Kowalczyk
Modified: 2024-05-06 11:55 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2023-04-05 01:45:43 UTC 
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes:

mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended.

Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.

ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.

The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.

ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.

In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms:

Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=.

Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.
Comment 1 OBSbugzilla Bot 2023-04-05 04:45:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1210128) was mentioned in
https://build.opensuse.org/request/show/1077384 Factory / go1.19
https://build.opensuse.org/request/show/1077385 Factory / go1.20
Comment 3 Maintenance Automation 2023-04-06 16:30:01 UTC 
SUSE-SU-2023:1792-1: An update that solves four vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1210127, 1210128, 1210129, 1210130
CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.8-150000.1.26.1
Development Tools Module 15-SP4 (src): go1.19-1.19.8-150000.1.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.8-150000.1.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.8-150000.1.26.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.8-150000.1.26.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.8-150000.1.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.8-150000.1.26.1
SUSE Enterprise Storage 7.1 (src): go1.19-1.19.8-150000.1.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2023-04-06 16:30:05 UTC 
SUSE-SU-2023:1791-1: An update that solves four vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (important)
Bug References: 1206346, 1210127, 1210128, 1210129, 1210130
CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.3-150000.1.8.1
Development Tools Module 15-SP4 (src): go1.20-1.20.3-150000.1.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-05-05 08:30:08 UTC 
SUSE-SU-2023:2105-1: An update that solves seven vulnerabilities and has three fixes can now be installed.

Category: security (important)
Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031
CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.4-150000.1.11.1
Development Tools Module 15-SP4 (src): go1.20-1.20.4-150000.1.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-05-08 16:30:02 UTC 
SUSE-SU-2023:2127-1: An update that solves seven vulnerabilities, contains one feature and has four fixes can now be installed.

Category: security (important)
Bug References: 1200441, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031, 1211073
CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.9-150000.1.31.1
Development Tools Module 15-SP4 (src): go1.19-1.19.9-150000.1.31.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.9-150000.1.31.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.9-150000.1.31.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.9-150000.1.31.1
SUSE Enterprise Storage 7.1 (src): go1.19-1.19.9-150000.1.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-05-08 16:30:08 UTC 
SUSE-SU-2023:2105-2: An update that solves seven vulnerabilities and has three fixes can now be installed.

Category: security (important)
Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031
CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400
Sources used:
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.20-1.20.4-150000.1.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Robert Frohl 2024-05-06 11:55:19 UTC 
done, closing