Bug 1217833 (CVE-2023-39326) - VUL-0: CVE-2023-39326: go1.20,go1.21: net/http: limit chunked data overhead
Summary: VUL-0: CVE-2023-39326: go1.20,go1.21: net/http: limit chunked data overhead
Status: RESOLVED FIXED
Alias: CVE-2023-39326
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39326:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-06 02:15 UTC by Jeff Kowalczyk
Modified: 2024-03-27 14:50 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2023-12-06 02:15:25 UTC 
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.

A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.

Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

Thanks to Bartek Nowotarski for reporting this issue.

This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.
Comment 1 OBSbugzilla Bot 2023-12-06 08:25:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1217833) was mentioned in
https://build.opensuse.org/request/show/1131274 Factory / go1.20
https://build.opensuse.org/request/show/1131275 Factory / go1.21
Comment 3 Maintenance Automation 2023-12-11 20:36:21 UTC 
SUSE-SU-2023:4709-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
openSUSE Leap 15.4 (src): go1.21-1.21.5-150000.1.18.1
openSUSE Leap 15.5 (src): go1.21-1.21.5-150000.1.18.1
Development Tools Module 15-SP4 (src): go1.21-1.21.5-150000.1.18.1
Development Tools Module 15-SP5 (src): go1.21-1.21.5-150000.1.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2023-12-11 20:36:24 UTC 
SUSE-SU-2023:4708-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1206346, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.12-150000.1.35.1
openSUSE Leap 15.5 (src): go1.20-1.20.12-150000.1.35.1
Development Tools Module 15-SP4 (src): go1.20-1.20.12-150000.1.35.1
Development Tools Module 15-SP5 (src): go1.20-1.20.12-150000.1.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-12-20 16:30:06 UTC 
SUSE-SU-2023:4931-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-12-20 16:30:09 UTC 
SUSE-SU-2023:4930-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1206346, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.