Bug 1079008 (CVE-2017-1000098)

Summary: VUL-0: CVE-2017-1000098: golang: net/http: multipart ReadForm close file after copy
Product: [openSUSE] openSUSE Distribution Reporter: Victor Pereira <vpereira>
Component: MaintenanceAssignee: Containers Team <containers-bugowner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jmassaguerpla
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/192821/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2018-02-02 09:07:22 UTC
rh#1401985

The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000098
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000098.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000098
https://golang.org/cl/30410
https://golang.org/issue/17965
Comment 1 Jordi Massaguer 2018-03-07 13:59:28 UTC
This fix is in go1.8, go1.9, go1.10 and in go1.7 >= 1.7.5

All our packages should have this fix already.
Comment 2 Jordi Massaguer 2018-03-07 14:10:40 UTC
Also in go1.6 >= 1.6.4. All our instances of go1.6 already contain this version.