Bug 1189231 - (CVE-2021-29923) VUL-0: CVE-2021-29923: go1.16,go1.15,go1.14: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control
(CVE-2021-29923)
VUL-0: CVE-2021-29923: go1.16,go1.15,go1.14: Go before 1.17 does not properly...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Jeff Kowalczyk
Security Team bot
https://smash.suse.de/issue/305978/
CVSSv3.1:SUSE:CVE-2021-29923:7.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-09 14:41 UTC by Gianluca Gabrielli
Modified: 2022-01-11 13:12 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-09 14:41:16 UTC
Go before 1.17 does not properly consider extraneous zero characters at the
beginning of an IP address octet, which (in some situations) allows attackers to
bypass access control that is based on IP addresses, because of unexpected octal
interpretation. This affects net.ParseIP and net.ParseCIDR.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29923
https://github.com/golang/go/issues/30999
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md
http://www.cvedetails.com/cve/CVE-2021-29923/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29923
https://github.com/golang/go/issues/43389
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
https://golang.org/pkg/net/#ParseCIDR
https://go-review.googlesource.com/c/go/+/325829/
Comment 1 Gianluca Gabrielli 2021-08-09 14:42:17 UTC
Affected packages:
 - SUSE:SLE-15:Update/go1.14   1.14.15
 - SUSE:SLE-15:Update/go1.15   1.15.14
 - SUSE:SLE-15:Update/go1.16   1.16.6
 - openSUSE:Factory/go1.14     1.14.15
 - openSUSE:Factory/go1.15     1.15.14
 - openSUSE:Factory/go1.16     1.16.6

Upstream patch [0].

[0] https://github.com/golang/go/commit/d3e3d03666bbd8784007bbb78a75864aac786967
Comment 2 Gianluca Gabrielli 2021-09-28 11:42:39 UTC
Hi Jeff,

This should have gotten fixed with version bump 1.6.17. Could if confirm and in case add it to the changes file?
Comment 3 Alexander Bergmann 2021-11-09 09:29:41 UTC
So far the fix from comment 1 is only present inside go1.17.

$ git tag --contains d3e3d03666bbd8784007bbb78a75864aac786967
go1.17
go1.17.1
go1.17.2
go1.17.3
go1.17beta1
go1.17rc1
go1.17rc2
Comment 4 Gianluca Gabrielli 2022-01-11 13:06:21 UTC
Hi Jeff, can you please submit the patch?