Bugzilla – Bug 1196732
VUL-0: CVE-2022-24921: go1.17,go1.16: regexp: stack overflow (process exit) handling deeply nested regexp
Last modified: 2023-11-02 13:15:27 UTC
On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB. Thanks to Juho Nurminen of Mattermost for reporting this. This is CVE-2022-24921 and https://go.dev/issue/51112. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24921 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921
This is an autogenerated message for OBS integration: This bug (1196732) was mentioned in https://build.opensuse.org/request/show/959307 Factory / go1.16 https://build.opensuse.org/request/show/959308 Factory / go1.17
SUSE-SU-2022:1164-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1182345,1183043,1196732 CVE References: CVE-2022-24921 JIRA References: Sources used: openSUSE Leap 15.4 (src): go1.16-1.16.15-150000.1.46.1 openSUSE Leap 15.3 (src): go1.16-1.16.15-150000.1.46.1 SUSE Manager Server 4.1 (src): go1.16-1.16.15-150000.1.46.1 SUSE Manager Retail Branch Server 4.1 (src): go1.16-1.16.15-150000.1.46.1 SUSE Manager Proxy 4.1 (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): go1.16-1.16.15-150000.1.46.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): go1.16-1.16.15-150000.1.46.1 SUSE Enterprise Storage 7 (src): go1.16-1.16.15-150000.1.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1167-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1183043,1190649,1196732 CVE References: CVE-2022-24921 JIRA References: Sources used: openSUSE Leap 15.4 (src): go1.17-1.17.8-150000.1.25.1 openSUSE Leap 15.3 (src): go1.17-1.17.8-150000.1.25.1 SUSE Manager Server 4.1 (src): go1.17-1.17.8-150000.1.25.1 SUSE Manager Retail Branch Server 4.1 (src): go1.17-1.17.8-150000.1.25.1 SUSE Manager Proxy 4.1 (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): go1.17-1.17.8-150000.1.25.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): go1.17-1.17.8-150000.1.25.1 SUSE Enterprise Storage 7 (src): go1.17-1.17.8-150000.1.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
This is an autogenerated message for OBS integration: This bug (1196732) was mentioned in https://build.opensuse.org/request/show/1122671 Backports:SLE-12 / go1.17