Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/tar: unbounded memory consumption when reading headers #54853

Closed
neild opened this issue Sep 3, 2022 · 6 comments
Closed

archive/tar: unbounded memory consumption when reading headers #54853

neild opened this issue Sep 3, 2022 · 6 comments
Assignees
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@neild
Copy link
Contributor

neild commented Sep 3, 2022

Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

@neild neild added the Security label Sep 3, 2022
@neild neild self-assigned this Sep 3, 2022
@seankhliao seankhliao added this to the Go1.20 milestone Sep 3, 2022
@neild neild modified the milestones: Go1.20, Go1.19.2 Sep 22, 2022
@neild neild assigned rolandshoemaker and unassigned neild Sep 22, 2022
@rolandshoemaker
Copy link
Member

@gopherbot please open backport issues.

@gopherbot
Copy link

Backport issue(s) opened: #55925 (for 1.18), #55926 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@dmitshur
Copy link
Contributor

Moving back to Go1.20 milestone. (Go1.19.2 now has #55926 backport issue.)

@dmitshur dmitshur modified the milestones: Go1.19.2, Go1.20 Sep 29, 2022
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 29, 2022
@gopherbot
Copy link

Change https://go.dev/cl/438498 mentions this issue: [release-branch.go1.19] archive/tar: limit size of headers

@gopherbot
Copy link

Change https://go.dev/cl/438500 mentions this issue: [release-branch.go1.18] archive/tar: limit size of headers

gopherbot pushed a commit that referenced this issue Oct 4, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates #54853
Fixes #55926

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
gopherbot pushed a commit that referenced this issue Oct 4, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates #54853
Fixes #55925

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438500
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
@cagedmantis cagedmantis changed the title security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers Oct 4, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55926

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55926

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55926

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/439355 mentions this issue: archive/tar: limit size of headers

rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55925

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438500
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Oct 5, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
For #54853

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/439355
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
@golang golang deleted a comment Oct 8, 2022
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Wed, 5 Oct 2022
Backported By: rcrozean@amazon.com
Backported From: release-branch.go1.15
Source Commit: golang@0a72381
EKS Patch Source Commit: aws/eks-distro-build-tooling@1de4158

For building an internal version of go1.15, we removed the binary
information from this patch caused by ./src/archive/tar/pax-bad-hdr-large.tar.bz2
it was added to the repo:
https://github.com/aws/eks-distro-build-tooling/projects/golang/go/1.15/rpmbuild/SOURCE/pax-bad-hdr-large.tar.bz2

# Originial Information

Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55925

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438500
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Wed, 5 Oct 2022
Backported By: rcrozean@amazon.com
Backported From: release-branch.go1.18
Source Commit: golang@0a72381
EKS Patch Source Commit: aws/eks-distro-build-tooling@f4ce232

For building an internal version of go1.16, we removed the binary
information from this patch, describing ./src/archive/tar/pax-bad-hdr-large.tar.bz2
The file itself was added directly to the repository.
This was done due to fact that `diff`, used by RPMs for patch application, does not support binary diffs.
https://github.com/aws/eks-distro-build-tooling/projects/golang/go/1.16/rpmbuild/SOURCE/pax-bad-hdr-large.tar.bz2

# Original Information

Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55925

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438500
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 14, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates golang#54853
Fixes golang#55925

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438500
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
wormi4ok added a commit to wormi4ok/packages that referenced this issue Oct 20, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
apparentlymart added a commit to hashicorp/terraform that referenced this issue Nov 1, 2022
This includes a small selection of security-related fixes which do not
urgently impact Terraform's behavior but do close some potential avenues
for unbounded resource usage or misbehavior with malicious input:

 - golang/go#54853
 - golang/go#55949
 - golang/go#56284
apparentlymart added a commit to hashicorp/terraform that referenced this issue Nov 2, 2022
This includes a small selection of security-related fixes which do not
urgently impact Terraform's behavior but do close some potential avenues
for unbounded resource usage or misbehavior with malicious input:

 - golang/go#54853
 - golang/go#55949
 - golang/go#56284
wormi4ok added a commit to wormi4ok/packages that referenced this issue Nov 14, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
1715173329 pushed a commit to immortalwrt/packages that referenced this issue Nov 15, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
BKPepe pushed a commit to openwrt/packages that referenced this issue Dec 3, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* #19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
stokito pushed a commit to stokito/packages that referenced this issue Dec 6, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

5 participants