Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/html: infinite loop in ParseFragment #46288

Closed
FiloSottile opened this issue May 20, 2021 · 6 comments
Closed

x/net/html: infinite loop in ParseFragment #46288

FiloSottile opened this issue May 20, 2021 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@FiloSottile
Copy link
Contributor

x/net/html.ParseFragment can enter an infinite loop when provided inputs that mix <math> and <template> tags.

This was originally found by OSS-Fuzz, and was reported to us by Andrew Thornton (art27@cantab.net).

This is tracked as CVE-2021-33194.
@FiloSottile FiloSottile added Security NeedsFix The path to resolution is known, but the work has not been done. labels May 20, 2021
@FiloSottile FiloSottile added this to the Unreleased milestone May 20, 2021
@FiloSottile
Copy link
Contributor Author

Fixed by CL 311090

@gpiyush-dev
Copy link

Hi @FiloSottile

Is version upgrade required for golang.org/x/net to v0.0.0-20210520170846-37e1c6afe023 or the latest in relevant release branches to mitigate the issue?
Ex of one such change - d4adea2

-- Piyush

@FiloSottile
Copy link
Contributor Author

To fix this issue, your module needs to depend on golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 or later. There are no release branches on golang.org/x/net.

@gpiyush-dev
Copy link

Thanks for the response.

Currently, golang.org/x/net is on v0.0.0-20210428183300-3f4a416c7d3b in release-branch.go1.16 -

go/src/go.mod

Line 7 in cb4cd9e

golang.org/x/net v0.0.0-20210428183300-3f4a416c7d3b

Is exploit possible in 1.16 as golang.org/x/net is not at v0.0.0-20210520170846-37e1c6afe023 or higher?

@FiloSottile
Copy link
Contributor Author

Go 1.16 doesn't use the golang.org/x/net/html package so is unaffected even if it imports an older version of other golang.org/x/net packages.

@gpiyush-dev
Copy link

Thanks for confirming @FiloSottile.

@fabianvf fabianvf mentioned this issue Jul 13, 2021
Closed
2 tasks
costanic added a commit to PelionIoT/maestro that referenced this issue Mar 5, 2022
@costanic
upgrade golang/x/net
e062028 
Fixes CVE-2021-33194

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
costanic added a commit to PelionIoT/maestro that referenced this issue Mar 5, 2022
@costanic
Fix various CVEs
e87eeb1 
CVE-2021-33194: upgrade golang/x/net
CVE-2019-19794: upgrade github.com/miekg/dns
CVE-2021-29482: upgrade github.com/ulikunitz/xz
CVE-2020-27813: upgrade github.com/gorilla/websocket

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
costanic added a commit to PelionIoT/edge-proxy that referenced this issue Mar 6, 2022
@costanic
Upgrade golang/x/net
367fb18 
Fixes CVE-2021-33194

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
@costanic costanic mentioned this issue Mar 8, 2022
Merged
costanic added a commit to PelionIoT/maestro that referenced this issue Mar 12, 2022
@costanic
Fix various CVEs
c5bbe10 
CVE-2021-33194: upgrade golang/x/net
CVE-2019-19794: upgrade github.com/miekg/dns
CVE-2021-29482: upgrade github.com/ulikunitz/xz
CVE-2020-27813: upgrade github.com/gorilla/websocket

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
costanic added a commit to PelionIoT/maestro that referenced this issue Mar 14, 2022
@costanic
Fix various CVEs
bff5526 
CVE-2021-33194: upgrade golang/x/net
CVE-2019-19794: upgrade github.com/miekg/dns
CVE-2021-29482: upgrade github.com/ulikunitz/xz
CVE-2020-27813: upgrade github.com/gorilla/websocket

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
costanic added a commit to PelionIoT/maestro that referenced this issue Mar 14, 2022
@costanic
Fix various CVEs
718a61c 
CVE-2021-33194: upgrade golang/x/net
CVE-2019-19794: upgrade github.com/miekg/dns
CVE-2021-29482: upgrade github.com/ulikunitz/xz
CVE-2020-27813: upgrade github.com/gorilla/websocket

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
costanic added a commit to PelionIoT/edge-proxy that referenced this issue Mar 14, 2022
@costanic
Upgrade golang/x/net
180a49e 
Fixes CVE-2021-33194

References:
golang/go#46288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
@golang golang locked and limited conversation to collaborators Jul 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@FiloSottile @gopherbot @gpiyush-dev