https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Bug ID: 1401985 Summary: golang: net/http: multipart ReadForm close file after copy Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: admiller@redhat.com, amurdaca@redhat.com, aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, chrisw@redhat.com, cvsbot-xmlrpc@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, golang-updates@lists.fedoraproject.org, jcajka@redhat.com, jgoulding@redhat.com, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, jschluet@redhat.com, kbasil@redhat.com, kseifried@redhat.com, lemenkov@gmail.com, lhh@redhat.com, lmeyer@redhat.com, lpeer@redhat.com, markmc@redhat.com, mmccomas@redhat.com, rbryant@redhat.com, renich@woralelandia.com, rhs-bugs@redhat.com, sclewis@redhat.com, sgirijan@redhat.com, sisharma@redhat.com, smohan@redhat.com, srevivo@redhat.com, ssaha@redhat.com, s@shk.io, storage-qa-internal@redhat.com, tdawson@redhat.com, tdecacqu@redhat.com, vbatts@redhat.com, vbellur@redhat.com
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
Upstream bug:
https://github.com/golang/go/issues/17965
Upstream patch:
https://go-review.googlesource.com/#/c/30410/
External Reference:
https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1401987 Depends On| |1401988
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created golang tracking bugs for this issue:
Affects: fedora-all [bug 1401987] Affects: epel-all [bug 1401988]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1401987 [Bug 1401987] golang: net/http: multipart ReadForm close file after copy [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1401988 [Bug 1401988] golang: net/http: multipart ReadForm close file after copy [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1401989
https://bugzilla.redhat.com/show_bug.cgi?id=1401985 Bug 1401985 depends on bug 1401987, which changed state.
Bug 1401987 Summary: golang: net/http: multipart ReadForm close file after copy [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1401987
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |slong@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=new,rhes-3.1/golang |/golang=new,rhes-3.1/golang |=new,openshift-enterprise-3 |=new,openshift-enterprise-3 |/golang=new,openstack-8-opt |/golang=new,openstack-8-opt |ools/golang=new,openstack-9 |ools/golang=wontfix,opensta |-optools/golang=new,opensta |ck-9-optools/golang=new,ope |ck-10-optools/golang=new,fe |nstack-10-optools/golang=ne |dora-all/golang=affected,ep |w,fedora-all/golang=affecte |el-all/golang=affected |d,epel-all/golang=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=new,rhes-3.1/golang |/golang=new,openshift-enter |=new,openshift-enterprise-3 |prise-3/golang=new,openstac |/golang=new,openstack-8-opt |k-8-optools/golang=wontfix, |ools/golang=wontfix,opensta |openstack-9-optools/golang= |ck-9-optools/golang=new,ope |new,openstack-10-optools/go |nstack-10-optools/golang=ne |lang=new,fedora-all/golang= |w,fedora-all/golang=affecte |affected,epel-all/golang=af |d,epel-all/golang=affected |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=new,openshift-enter |/golang=new,openshift-enter |prise-3/golang=new,openstac |prise-3/golang=new,openstac |k-8-optools/golang=wontfix, |k-8-optools/golang=wontfix, |openstack-9-optools/golang= |openstack-9-optools/golang= |new,openstack-10-optools/go |affected,openstack-10-optoo |lang=new,fedora-all/golang= |ls/golang=affected,fedora-a |affected,epel-all/golang=af |ll/golang=affected,epel-all |fected |/golang=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1405647
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1405648
https://bugzilla.redhat.com/show_bug.cgi?id=1401985 Bug 1401985 depends on bug 1401988, which changed state.
Bug 1401988 Summary: golang: net/http: multipart ReadForm close file after copy [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1401988
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=new,openshift-enter |/golang=new,openshift-enter |prise-3/golang=new,openstac |prise-3/golang=new,openstac |k-8-optools/golang=wontfix, |k-8-optools/golang=wontfix, |openstack-9-optools/golang= |openstack-9-optools/golang= |affected,openstack-10-optoo |affected,openstack-10-optoo |ls/golang=affected,fedora-a |ls/golang=notaffected,fedor |ll/golang=affected,epel-all |a-all/golang=affected,epel- |/golang=affected |all/golang=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=new,openshift-enter |/golang=new,openshift-enter |prise-3/golang=new,openstac |prise-3/golang=new,openstac |k-8-optools/golang=wontfix, |k-8-optools/golang=wontfix, |openstack-9-optools/golang= |openstack-9-optools/golang= |affected,openstack-10-optoo |wontfix,openstack-10-optool |ls/golang=notaffected,fedor |s/golang=notaffected,fedora |a-all/golang=affected,epel- |-all/golang=affected,epel-a |all/golang=affected |ll/golang=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2017-01-11 20:24:34
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|golang: net/http: multipart |CVE-2017-1000098 golang: |ReadForm close file after |net/http: multipart |copy |ReadForm close file after | |copy Alias| |CVE-2017-1000098
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Garth Mollett gmollett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|WONTFIX |--- Keywords| |Reopened
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |deparker@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=new,openshift-enter |/golang=affected,openshift- |prise-3/golang=new,openstac |enterprise-3/golang=new,ope |k-8-optools/golang=wontfix, |nstack-8-optools/golang=won |openstack-9-optools/golang= |tfix,openstack-9-optools/go |wontfix,openstack-10-optool |lang=wontfix,openstack-10-o |s/golang=notaffected,fedora |ptools/golang=notaffected,f |-all/golang=affected,epel-a |edora-all/golang=affected,e |ll/golang=affected |pel-all/golang=affected
--- Comment #6 from Tomas Hoger thoger@redhat.com --- Upstream commit:
https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184 https://github.com/golang/go/commit/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
Upstream bug with more details:
https://github.com/golang/go/issues/16296
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ahardin@redhat.com, | |mchappel@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |1201,reported=20161205,sour |1201,reported=20161205,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cvss3=5 |:M/Au:N/C:N/I:N/A:P,cvss3=5 |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |.9/CVSS:3.0/AV:N/AC:H/PR:N/ |UI:N/S:U/C:N/I:N/A:H,rhel-7 |UI:N/S:U/C:N/I:N/A:H,rhel-7 |/golang=affected,openshift- |/golang=affected,openshift- |enterprise-3/golang=new,ope |enterprise-3/golang=notaffe |nstack-8-optools/golang=won |cted,openstack-8-optools/go |tfix,openstack-9-optools/go |lang=wontfix,openstack-9-op |lang=wontfix,openstack-10-o |tools/golang=wontfix,openst |ptools/golang=notaffected,f |ack-10-optools/golang=notaf |edora-all/golang=affected,e |fected,fedora-all/golang=af |pel-all/golang=affected |fected,epel-all/golang=affe | |cted
golang-updates@lists.stg.fedoraproject.org