ALAS2GOLANG1.19-2023-002 --- golangID: oval:org.secpod.oval:def:1701653 | Date: (C)2023-10-26 (M)2024-02-26 |
Class: PATCH | Family: unix |
An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. There's a flaw in golang's syscall.ForkExec interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability. Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource. A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (CVE-2022-24675(CVE-2022-27664(((CVE-2022-28327(CVE-2022-2879(CVE-2022-2880(CVE-2022-30580(CVE-2022-30632(CVE-2022-30634(CVE-2022-30635(CVE-2022-41715(CVE-2022-41717(if invalid(but still invalid(CVE-2022-41722(CVE-2022-41723(by setting Config.ClientSessionCache to a non-nil value(by setting Config.ClientAuth greater than = RequestClientCert(CVE-2022-41724(https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E(CVE-2022-41725