Bug 1204501 (CVE-2022-32149)

Summary: VUL-0: CVE-2022-32149: grafana,cni,rekor,go1.19,terraform,go1.18,cri-o: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/344901/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-10-19 12:41:44 UTC 
rh#2134010

A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.

References:
https://groups.google.com/g/golang-dev/c/qfPIly0X7aU.
https://go.dev/issue/56152.

Upstream Commit:
https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2134010
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32149
https://www.cve.org/CVERecord?id=CVE-2022-32149
https://pkg.go.dev/vuln/GO-2022-1059
https://go.dev/cl/442235
https://go.dev/issue/56152
https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ
Comment 1 Thomas Leroy 2022-10-19 12:45:38 UTC 
After investigating, I identified several packages internally using the golang.org/x/text/language package:
- grafana
- cni
- rekor
- terraform
- cri-o

They all vendor a version of the vulnerable package, but none of them uses the vulnerable function, therefore the're not affected.

I'll keep this open because come packages could join the list with the improvements of our tracking tooling.