Bug 1204501 – VUL-0: CVE-2022-32149: grafana,cni,rekor,go1.19,terraform,go1.18,cri-o: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

Bug 1204501 - (CVE-2022-32149) VUL-0: CVE-2022-32149: grafana,cni,rekor,go1.19,terraform,go1.18,cri-o: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

(CVE-2022-32149)
Summary:	VUL-0: CVE-2022-32149: grafana,cni,rekor,go1.19,terraform,go1.18,cri-o: golan...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/344901/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-10-19 12:41 UTC by Thomas Leroy
Modified:	2022-10-19 13:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-10-19 12:41:44 UTC

rh#2134010

A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.

References:
https://groups.google.com/g/golang-dev/c/qfPIly0X7aU.
https://go.dev/issue/56152.

Upstream Commit:
https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2134010
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32149
https://www.cve.org/CVERecord?id=CVE-2022-32149
https://pkg.go.dev/vuln/GO-2022-1059
https://go.dev/cl/442235
https://go.dev/issue/56152
https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ

Comment 1 Thomas Leroy 2022-10-19 12:45:38 UTC

After investigating, I identified several packages internally using the golang.org/x/text/language package:
- grafana
- cni
- rekor
- terraform
- cri-o

They all vendor a version of the vulnerable package, but none of them uses the vulnerable function, therefore the're not affected.

I'll keep this open because come packages could join the list with the improvements of our tracking tooling.