Bug 1227309 (CVE-2024-37298) - VUL-0: CVE-2024-37298: distrobuilder: gorilla/schema: potential memory exhaustion due to sparse slice deserialization
Summary: VUL-0: CVE-2024-37298: distrobuilder: gorilla/schema: potential memory exhaus...
Status: NEW
Alias: CVE-2024-37298
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Richard Rahl
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412571/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-02 18:34 UTC by SMASH SMASH
Modified: 2024-07-02 19:15 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-02 18:34:37 UTC 
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37298
https://www.cve.org/CVERecord?id=CVE-2024-37298
https://github.com/gorilla/schema/blob/main/decoder.go#L223
https://github.com/gorilla/schema/commit/cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff
https://github.com/gorilla/schema/security/advisories/GHSA-3669-72x9-r9p3
https://bugzilla.redhat.com/show_bug.cgi?id=2295010