[Bug 1235368] New: VUL-0: CVE-2024-45338: distrobuilder: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content
https://bugzilla.suse.com/show_bug.cgi?id=1235368 Bug ID: 1235368 Summary: VUL-0: CVE-2024-45338: distrobuilder: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/433408/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2024-45338:5.9:(AV:N/AC:H/PR:N/UI:N/ S:U/C:N/I:N/A:H) CVSSv4:SUSE:CVE-2024-45338:8.2:(AV:N/AC:H/AT:P/PR:N/UI :N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: andrea.mattiazzo@suse.com QA Contact: security-team@suse.de Blocks: 1234794 Target Milestone: --- Found By: --- Blocker: --- An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-45338 https://www.cve.org/CVERecord?id=CVE-2024-45338 https://go.dev/cl/637536 https://go.dev/issue/70906 https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ https://pkg.go.dev/vuln/GO-2024-3333 https://bugzilla.redhat.com/show_bug.cgi?id=2333122 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235368 https://bugzilla.suse.com/show_bug.cgi?id=1235368#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- The packages below are or contain embedded packages that are vulnerable to CVE-2024-45338: - openSUSE:Factory/distrobuilder contains embedded package: golang.org/x/net/html (0.30.0) Please consider version bumping or patching the affected dependencies. The listed codestreams are affected. All other codestreams should not be affected, but feel free to double-check. This is a auto-generated message, please reach out to the reporter directly if you think this is incorrect. No bug-owner found for these packages, if the assignation is not correct feel free to re-assign. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235368 Andrea Mattiazzo <andrea.mattiazzo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |containers-bugowner@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235368 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235368 https://bugzilla.suse.com/show_bug.cgi?id=1235368#c2 Alexandre Vicenzi <alexandre.vicenzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alexandre.vicenzi@suse.com --- Comment #2 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- openSUSE:Factory/distrobuilder cotains gopkg.in/antchfx/htmlquery.v1 (v1.2.2) which requires golang.org/x/net/html and calls html.Parse, one of the affected functions but this CVE. antchfx/htmlquery v1.3.4 bumps golang.org/x/net to v0.33.0. distrobuilder should require this new version. I'll send a PR upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235368 Alexandre Vicenzi <alexandre.vicenzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|containers-bugowner@suse.de |alexandre.vicenzi@suse.com CC| |containers-bugowner@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235368 https://bugzilla.suse.com/show_bug.cgi?id=1235368#c3 Alexandre Vicenzi <alexandre.vicenzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #3 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- A PR is on the way: https://github.com/lxc/distrobuilder/pull/893 One of the project maintainers said that it is very unlikely that this CVE could be exploited in distrobuilder since it is a DoS attack, and distrobuilder is not an online service. I would argue that the risk is low and the severity is minor. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com