-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855
net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855
Comments
@gopherbot please open backport issues. |
Backport issue(s) opened: #58355 (for 1.19), #58356 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/468118 mentions this issue: |
Change https://go.dev/cl/468122 mentions this issue: |
Change https://go.dev/cl/468135 mentions this issue: |
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-41723 Fixes #58356 Updates #57855 Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468122 Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-41723 Fixes #58355 Updates #57855 Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468118 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
Change https://go.dev/cl/468295 mentions this issue: |
Pull in HTTP/2 security fix: CL 468135: http2/hpack: avoid quadratic complexity in hpack decoding For #57855 Change-Id: Id6b05dc52a1a585c41c6aff0c51665614fd5e215 Reviewed-on: https://go-review.googlesource.com/c/go/+/468295 Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Pratt <mpratt@google.com>
Change https://go.dev/cl/468335 mentions this issue: |
Change https://go.dev/cl/468336 mentions this issue: |
…ty in hpack decoding When parsing a field literal containing two Huffman-encoded strings, don't decode the first string until verifying all data is present. Avoids forced quadratic complexity when repeatedly parsing a partial field, repeating the Huffman decoding of the string on each iteration. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. Fixes golang/go#57855 Fixes CVE-2022-41723 For golang/go#58355 Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/468135 Run-TryBot: Michael Pratt <mpratt@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit 8e2b117) Reviewed-on: https://go-review.googlesource.com/c/net/+/468335
…ty in hpack decoding When parsing a field literal containing two Huffman-encoded strings, don't decode the first string until verifying all data is present. Avoids forced quadratic complexity when repeatedly parsing a partial field, repeating the Huffman decoding of the string on each iteration. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. Fixes golang/go#57855 Fixes CVE-2022-41723 For golang/go#58356 Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/468135 Run-TryBot: Michael Pratt <mpratt@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit 8e2b117) Reviewed-on: https://go-review.googlesource.com/c/net/+/468336
Change https://go.dev/cl/468302 mentions this issue: |
Change https://go.dev/cl/468303 mentions this issue: |
Update golang.org/x/net to the tip of internal-branch.go1.19-vendor to include CL 468335. The contents of that CL were already merged into this branch in CL 468118, so this CL just brings go.mod back in line to matching the actual vendored content. For #58355 For #57855 Change-Id: Ie952744a5b2249f0c05afb7f86bebf872734b09a Reviewed-on: https://go-review.googlesource.com/c/go/+/468303 Run-TryBot: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com>
Update golang.org/x/net to the tip of internal-branch.go1.20-vendor to include CL 468336. The contents of that CL were already merged into this branch in CL 468122, so this CL just brings go.mod back in line to matching the actual vendored content. For #58356 For #57855 Change-Id: I6ee9483077630c11c725927f38f6b69a784106db Reviewed-on: https://go-review.googlesource.com/c/go/+/468302 Run-TryBot: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com>
- Update golang.org/x/net based on security scan - This resolves vulnerability [CVE-2022-41723](golang/go#57855) in `x/net`
Pull in HTTP/2 security fix: CL 468135: http2/hpack: avoid quadratic complexity in hpack decoding For golang#57855 Change-Id: Id6b05dc52a1a585c41c6aff0c51665614fd5e215 Reviewed-on: https://go-review.googlesource.com/c/go/+/468295 Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Pratt <mpratt@google.com>
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-41723 Fixes golang#58356 Updates golang#57855 Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468122 Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
Update golang.org/x/net to the tip of internal-branch.go1.20-vendor to include CL 468336. The contents of that CL were already merged into this branch in CL 468122, so this CL just brings go.mod back in line to matching the actual vendored content. For golang#58356 For golang#57855 Change-Id: I6ee9483077630c11c725927f38f6b69a784106db Reviewed-on: https://go-review.googlesource.com/c/go/+/468302 Run-TryBot: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com>
So, looking at https://pkg.go.dev/vuln/GO-2023-1571, it looks like the If we upgrade golang.org/x/net to v0.7.0 and leave Golang at, say, v1.18.x, are we still vulnerable to this? |
If you upgrade Unfortunately, we don't have a good way for govulncheck to detect the case where the standard library's bundled HTTP/2 support is present but unused. |
Updated dependency to v0.8.0 for all modules in the repo. CVE issue: golang/go#57855
Updated dependency to v0.8.0 across all modules in the repo. CVE issue: golang/go#57855
Updated dependency to v0.8.0 across all modules in the repo. CVE issue: golang/go#57855
Updated dependency to v0.8.0 across all modules in the repo. CVE issue: golang/go#57855
Updated dependency to v0.8.0 across all modules in the repo. CVE issue: golang/go#57855
I use go 1.15,how should I do ? upgrade my go to 1.21? It will be a horrible mission. Can I just upgrade net package ? thank you. |
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
This issue is also fixed in golang.org/x/net/http2, for users manually configuring HTTP/2.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is a PRIVATE issue for CVE-2022-41723, tracked in http://b/262602307 and fixed by http://tg/1688184.
The text was updated successfully, but these errors were encountered: