Issue #1715: [golang] CVE-2024-34156 golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion [fedora-all] | rhbz#2310555 - blocker-review

fedora-qa / blocker-review

#1715 [golang] CVE-2024-34156 golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion [fedora-all] | rhbz#2310555

Closed Nov 14, 2024 by blockerbot. Opened Oct 16, 2024 by blockerbot.

Bug details: ** https://bugzilla.redhat.com/show_bug.cgi?id=2310555 **
Information from BlockerBugs App:
2310555

Current vote summary

Rejected FinalBlocker (+0, 0, -4)
- -1 by augenauf, pbrobinson, sgallagh, nielsenb
Rejected FinalFreezeException (+0, 0, -3)
- -1 by augenauf, sgallagh, nielsenb

Commented but haven't voted yet: frantisekz

The votes have been last counted at 2024-10-21 19:46 UTC and the last processed comment was #comment-939655

To learn how to vote, see:
https://pagure.io/fedora-qa/blocker-review
A quick example: BetaBlocker +1 (where the tracker name is one of BetaBlocker/FinalBlocker/BetaFE/FinalFE/0Day/PreviousRelease and the vote is one of +1/0/-1)

augenauf commented Oct 16, 2024

FinalBlocker +1
FinalFE +1

bug 2310555 leads to CVE-2024-34156, rated 7.5. if Fedora 41 is affected, unclear to me, we should not ship Fedora 41 with this bug.
CVE info: https://access.redhat.com/security/cve/CVE-2024-34156.
Upstream issue: https://github.com/golang/go/issues/69139
fix pending upstream.

for reference, link to security response: https://bugzilla.redhat.com/show_bug.cgi?id=2310528

augenauf commented Oct 16, 2024

This has been fixed in Go versions 1.23.1 and 1.22.7
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk

https://packages.fedoraproject.org/pkgs/golang/golang/

Apologies for the noise.

augenauf commented Oct 16, 2024

FinalBlocker -1
FinalFE -1

pbrobinson commented Oct 17, 2024

FinalBlocker -1

The golang toolchain isn't shipped in artifacts so users installing this will get a zero day upgrade.

sgallagh commented Oct 18, 2024

FinalBlocker -1
FinalFE -1

nielsenb commented Oct 21, 2024

If it's not on any media, I don't see a reason for a blocker.

FinalBlocker -1
FinalFE -1

frantisekz commented Oct 21, 2024

AGREED RejectedFinalBlocker
AGREED RejectedFinalFE

Discussed during the 2024-10-21 blocker review meeting [1]:

This is rejected on the basis that the issues caused can be "satisfactorily resolved by a package update" (per the criteria). anything built with Go and persistently parsing untrusted input is probably some kind of system service which should be deployed only on an installed system. we are not aware of any likely context in which this vulnerability would be exposed in a live or installer environment.

[1] https://meetbot.fedoraproject.org/blocker-review_matrix_fedoraproject-org/2024-10-21/f41-blocker-review.2024-10-21-16.00.log.html

blockerbot commented Oct 21, 2024

The following votes have been closed:

Rejected FinalBlocker (+0, 0, -4)
- -1 by augenauf, pbrobinson, sgallagh, nielsenb
Rejected FinalFreezeException (+0, 0, -3)
- -1 by augenauf, sgallagh, nielsenb

Metadata Update from @blockerbot:
- Issue status updated to: Closed (was: Open)

Nov 14, 2024

blockerbot commented Nov 14, 2024

Release F41 is no longer tracked by BlockerBugs, closing this ticket.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

fedora-qa / blocker-review

#1715 [golang] CVE-2024-34156 golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion [fedora-all] | rhbz#2310555 Closed Nov 14, 2024 by blockerbot. Opened Oct 16, 2024 by blockerbot.

Current vote summary

Metadata

#1715 [golang] CVE-2024-34156 golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion [fedora-all] | rhbz#2310555

Closed Nov 14, 2024 by blockerbot. Opened Oct 16, 2024 by blockerbot.