Bug 1221001 (CVE-2023-45290) - VUL-0: CVE-2023-45290 go1.21,go1.22: net/http: memory exhaustion in Request.ParseMultipartForm
Summary: VUL-0: CVE-2023-45290 go1.21,go1.22: net/http: memory exhaustion in Request.P...
Status: RESOLVED FIXED
Alias: CVE-2023-45290
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/396430/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-45290:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-06 01:50 UTC by Jeff Kowalczyk
Modified: 2024-05-31 13:07 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2024-03-06 01:50:31 UTC 
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

ParseMultipartForm now correctly limits the maximum size of form lines.

Thanks to Bartek Nowotarski for reporting this issue.

This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.
Comment 2 OBSbugzilla Bot 2024-03-06 05:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1221001) was mentioned in
https://build.opensuse.org/request/show/1155402 Factory / go1.21
https://build.opensuse.org/request/show/1155403 Factory / go1.22
Comment 3 Maintenance Automation 2024-03-07 12:30:17 UTC 
SUSE-SU-2024:0800-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1212475, 1219988, 1220999, 1221000, 1221001, 1221002, 1221003
CVE References: CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.21-1.21.8-1.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-03-08 08:30:03 UTC 
SUSE-SU-2024:0812-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1218424, 1219988, 1220999, 1221000, 1221001, 1221002, 1221003
CVE References: CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785
Sources used:
openSUSE Leap 15.5 (src): go1.22-1.22.1-150000.1.9.1
Development Tools Module 15-SP5 (src): go1.22-1.22.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-03-08 08:30:08 UTC 
SUSE-SU-2024:0811-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1212475, 1219988, 1220999, 1221000, 1221001, 1221002, 1221003
CVE References: CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785
Sources used:
openSUSE Leap 15.5 (src): go1.21-1.21.8-150000.1.27.1
Development Tools Module 15-SP5 (src): go1.21-1.21.8-150000.1.27.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): go1.21-1.21.8-150000.1.27.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): go1.21-1.21.8-150000.1.27.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): go1.21-1.21.8-150000.1.27.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): go1.21-1.21.8-150000.1.27.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): go1.21-1.21.8-150000.1.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2024-03-22 12:31:40 UTC 
SUSE-SU-2024:0936-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1218424, 1219988, 1220999, 1221000, 1221001, 1221002, 1221003
CVE References: CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785
Maintenance Incident: [SUSE:Maintenance:32983](https://smelt.suse.de/incident/32983/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.22-1.22.1-1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Andrea Mattiazzo 2024-05-31 13:07:40 UTC 
All done, closing.