Bug 1189231 – VUL-0: CVE-2021-29923: go1.16,go1.15,go1.14: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control

Bug 1189231 - (CVE-2021-29923) VUL-0: CVE-2021-29923: go1.16,go1.15,go1.14: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control

(CVE-2021-29923)
Summary:	VUL-0: CVE-2021-29923: go1.16,go1.15,go1.14: Go before 1.17 does not properly...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Jeff Kowalczyk
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/305978/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-29923:7.4:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-08-09 14:41 UTC by Gianluca Gabrielli
Modified:	2022-01-11 13:12 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-08-09 14:41:16 UTC

Go before 1.17 does not properly consider extraneous zero characters at the
beginning of an IP address octet, which (in some situations) allows attackers to
bypass access control that is based on IP addresses, because of unexpected octal
interpretation. This affects net.ParseIP and net.ParseCIDR.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29923
https://github.com/golang/go/issues/30999
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md
http://www.cvedetails.com/cve/CVE-2021-29923/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29923
https://github.com/golang/go/issues/43389
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
https://golang.org/pkg/net/#ParseCIDR
https://go-review.googlesource.com/c/go/+/325829/

Comment 1 Gianluca Gabrielli 2021-08-09 14:42:17 UTC

Affected packages:
 - SUSE:SLE-15:Update/go1.14   1.14.15
 - SUSE:SLE-15:Update/go1.15   1.15.14
 - SUSE:SLE-15:Update/go1.16   1.16.6
 - openSUSE:Factory/go1.14     1.14.15
 - openSUSE:Factory/go1.15     1.15.14
 - openSUSE:Factory/go1.16     1.16.6

Upstream patch [0].

[0] https://github.com/golang/go/commit/d3e3d03666bbd8784007bbb78a75864aac786967

Comment 2 Gianluca Gabrielli 2021-09-28 11:42:39 UTC

Hi Jeff,

This should have gotten fixed with version bump 1.6.17. Could if confirm and in case add it to the changes file?

Comment 3 Alexander Bergmann 2021-11-09 09:29:41 UTC

So far the fix from comment 1 is only present inside go1.17.

$ git tag --contains d3e3d03666bbd8784007bbb78a75864aac786967
go1.17
go1.17.1
go1.17.2
go1.17.3
go1.17beta1
go1.17rc1
go1.17rc2

Comment 4 Gianluca Gabrielli 2022-01-11 13:06:21 UTC

Hi Jeff, can you please submit the patch?