Bug 1079008 - (CVE-2017-1000098) VUL-0: CVE-2017-1000098: golang: net/http: multipart ReadForm close file after copy
(CVE-2017-1000098)
VUL-0: CVE-2017-1000098: golang: net/http: multipart ReadForm close file afte...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Maintenance
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/192821/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-02 09:07 UTC by Victor Pereira
Modified: 2018-03-07 14:10 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2018-02-02 09:07:22 UTC
rh#1401985

The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401985
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000098
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000098.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000098
https://golang.org/cl/30410
https://golang.org/issue/17965
Comment 1 Jordi Massaguer 2018-03-07 13:59:28 UTC
This fix is in go1.8, go1.9, go1.10 and in go1.7 >= 1.7.5

All our packages should have this fix already.
Comment 2 Jordi Massaguer 2018-03-07 14:10:40 UTC
Also in go1.6 >= 1.6.4. All our instances of go1.6 already contain this version.