CVE-2022-2879
Summary
| CVE | CVE-2022-2879 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-10-14 15:15:00 UTC |
|---|
| Updated | 2023-11-25 11:15:00 UTC |
|---|
| Description | Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Operating System |
Fedoraproject |
Fedora |
37 |
All |
All |
All |
| Application |
Golang |
Go |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security |
|
security.gentoo.org |
|
| [SECURITY] Fedora 37 Update: golang-1.19.2-1.fc37 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| archive/tar: unbounded memory consumption when reading headers · Issue #54853 · golang/go · GitHub |
MISC |
go.dev |
|
| GO-2022-1037 - Go Packages |
MISC |
pkg.go.dev |
|
| go.dev/cl/439355 |
MISC |
go.dev |
|
| [security] Go 1.19.2 and Go 1.18.7 are released |
MISC |
groups.google.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160322 Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-24267)
- 160414 Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-0328)
- 160440 Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-0446)
- 160499 Oracle Enterprise Linux Security Update for ol8addon (ELSA-2023-18908)
- 160609 Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2204)
- 160666 Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2780)
- 161289 Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2024-0121)
- 182627 Debian Security Update for golang-1.19 (CVE-2022-2879)
- 199304 Ubuntu Security Notification for Go Vulnerabilities (USN-6038-1)
- 241106 Red Hat Update for go-toolset and golang (RHSA-2023:0328)
- 241132 Red Hat Update for go-toolset:rhel8 (RHSA-2023:0446)
- 241187 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)
- 241424 Red Hat Update for image builder security (RHSA-2023:2204)
- 241490 Red Hat Update for image builder security (RHSA-2023:2780)
- 241747 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)
- 242882 Red Hat Update for container-tools:4.0 (RHSA-2024:0121)
- 283206 Fedora Security Update for golang (FEDORA-2022-0e313cc582)
- 354133 Amazon Linux Security Advisory for golang : ALAS2-2022-1887
- 354318 Amazon Linux Security Advisory for golist : ALAS2022-2022-240
- 354512 Amazon Linux Security Advisory for golang : ALAS2022-2022-239
- 354547 Amazon Linux Security Advisory for golang : ALAS-2022-239
- 354562 Amazon Linux Security Advisory for golist : ALAS-2022-240
- 354647 Amazon Linux Security Advisory for golist : ALAS2-2023-1913
- 355111 Amazon Linux Security Advisory for golist : ALAS2023-2023-046
- 355212 Amazon Linux Security Advisory for golang : ALAS2023-2023-048
- 356304 Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-002
- 378046 Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0028)
- 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
- 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
- 502529 Alpine Linux Security Update for go
- 502859 Alpine Linux Security Update for go
- 672413 EulerOS Security Update for golang (EulerOS-SA-2022-2795)
- 672476 EulerOS Security Update for golang (EulerOS-SA-2023-1035)
- 672519 EulerOS Security Update for golang (EulerOS-SA-2023-1010)
- 672528 EulerOS Security Update for golang (EulerOS-SA-2023-1100)
- 672533 EulerOS Security Update for golang (EulerOS-SA-2023-1124)
- 672621 EulerOS Security Update for golang (EulerOS-SA-2023-1385)
- 672650 EulerOS Security Update for golang (EulerOS-SA-2023-1357)
- 690952 Free Berkeley Software Distribution (FreeBSD) Security Update for go (854c2afb-4424-11ed-af97-adcabf310f9b)
- 710791 Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)
- 753218 SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2022:3669-1)
- 753359 SUSE Enterprise Linux Security Update for go1.18 (SUSE-SU-2022:3668-1)
- 754047 SUSE Enterprise Linux Security Update for go1.18-openssl (SUSE-SU-2023:2312-1)
- 770176 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)
- 770197 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)
- 904235 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11154)
- 904242 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11128)
- 907498 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11128-1)
- 907756 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11154-1)
- 907846 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11128-2)
- 908057 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11128-4)
- 940905 AlmaLinux Security Update for go-toolset and golang (ALSA-2023:0328)
- 940911 AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:0446)
- 941063 AlmaLinux Security Update for Image (ALSA-2023:2204)
- 941118 AlmaLinux Security Update for Image (ALSA-2023:2780)
- 941535 AlmaLinux Security Update for container-tools:4.0 (ALSA-2024:0121)
- 960489 Rocky Linux Security Update for go-toolset and golang (RLSA-2023:0328)
- 960609 Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2023:0446)
