Bugzilla – Bug 1195835
VUL-0: CVE-2022-23772: go1.17,go1.16: overflow in Rat.SetString in math/big can lead to Uncontrolled Memory Consumption
Last modified: 2023-11-02 13:15:25 UTC
An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. This is CVE-2022-23772 and Go issue https://github.com/golang/go/issues/50699. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23772 https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
This was fixed in Go versions 1.16.14 and 1.17.7. Upstream patches: go1.16: https://github.com/golang/go/commit/07ee9e6445057e181fb3895df978748ffef30327 go1.17: https://github.com/golang/go/commit/539d430efb5043cc6a2d4d4fcd2866b11717039a
This is an autogenerated message for OBS integration: This bug (1195835) was mentioned in https://build.opensuse.org/request/show/953824 Factory / go1.16 https://build.opensuse.org/request/show/953825 Factory / go1.17
SUSE-SU-2022:0723-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1190649,1195834,1195835,1195838 CVE References: CVE-2022-23772,CVE-2022-23773,CVE-2022-23806 JIRA References: Sources used: SUSE Manager Server 4.1 (src): go1.17-1.17.7-1.20.1 SUSE Manager Retail Branch Server 4.1 (src): go1.17-1.17.7-1.20.1 SUSE Manager Proxy 4.1 (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): go1.17-1.17.7-1.20.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): go1.17-1.17.7-1.20.1 SUSE Enterprise Storage 7 (src): go1.17-1.17.7-1.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0723-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1190649,1195834,1195835,1195838 CVE References: CVE-2022-23772,CVE-2022-23773,CVE-2022-23806 JIRA References: Sources used: openSUSE Leap 15.4 (src): go1.17-1.17.7-1.20.1 openSUSE Leap 15.3 (src): go1.17-1.17.7-1.20.1
openSUSE-SU-2022:0724-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1182345,1195834,1195835,1195838 CVE References: CVE-2022-23772,CVE-2022-23773,CVE-2022-23806 JIRA References: Sources used: openSUSE Leap 15.4 (src): go1.16-1.16.14-1.43.1 openSUSE Leap 15.3 (src): go1.16-1.16.14-1.43.1
SUSE-SU-2022:0724-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1182345,1195834,1195835,1195838 CVE References: CVE-2022-23772,CVE-2022-23773,CVE-2022-23806 JIRA References: Sources used: SUSE Manager Server 4.1 (src): go1.16-1.16.14-1.43.1 SUSE Manager Retail Branch Server 4.1 (src): go1.16-1.16.14-1.43.1 SUSE Manager Proxy 4.1 (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): go1.16-1.16.14-1.43.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): go1.16-1.16.14-1.43.1 SUSE Enterprise Storage 7 (src): go1.16-1.16.14-1.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
This is an autogenerated message for OBS integration: This bug (1195835) was mentioned in https://build.opensuse.org/request/show/1122671 Backports:SLE-12 / go1.17