Critical vulnerability CVE-2024-24790 in go stdlib

[bpfoster]

Loki 3.0.0

CVE-2024-24790 has been published against the go stdlib net/netip.

https://pkg.go.dev/vuln/GO-2024-2887

Resolved in go 1.21.11 or 1.22.4. Loki 3.0.0 showing as built with a vulnerable go 1.21.9

[JohnFrampton]

We would very much appreciate the fix :-)

[bpfoster]

Vulnerability still present in just released Loki 3.1.0

$ ./loki-linux-amd64 --version
loki, version 3.1.0 (branch: k207, revision: 935aee77)
  build user:       root@de8d403f3caa
  build date:       2024-07-02T10:19:43Z
  go version:       go1.22.2
  platform:         linux/amd64
  tags:             netgo

$ govulncheck -mode binary loki-linux-amd64
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Vulnerable symbols found:
      #1: http.Client.CloseIdleConnections
      #2: http.Client.Do
      #3: http.Client.Get
      #4: http.Client.Head
      #5: http.Client.Post
      #6: http.Client.PostForm
      #7: http.Get
      #8: http.Head
      #9: http.Post
      #10: http.PostForm
      #11: http.Transport.CancelRequest
      #12: http.Transport.CloseIdleConnections
      #13: http.Transport.RoundTrip

Vulnerability #2: GO-2024-2918
    Azure Identity Libraries Elevation of Privilege Vulnerability in
    github.com/Azure/azure-sdk-for-go/sdk/azidentity
  More info: https://pkg.go.dev/vuln/GO-2024-2918
  Module: github.com/Azure/azure-sdk-for-go/sdk/azidentity
    Found in: github.com/Azure/azure-sdk-for-go/sdk/[email protected]
    Fixed in: github.com/Azure/azure-sdk-for-go/sdk/[email protected]
    Vulnerable symbols found:
      #1: azidentity.AzurePipelinesCredential.GetToken
      #2: azidentity.ChainedTokenCredential.GetToken
      #3: azidentity.ClientAssertionCredential.GetToken
      #4: azidentity.ClientCertificateCredential.GetToken
      #5: azidentity.ClientSecretCredential.GetToken
      #6: azidentity.DefaultAzureCredential.GetToken
      #7: azidentity.EnvironmentCredential.GetToken
      #8: azidentity.ManagedIdentityCredential.GetToken
      #9: azidentity.NewDefaultAzureCredential
      #10: azidentity.NewManagedIdentityCredential
      #11: azidentity.OnBehalfOfCredential.GetToken
      #12: azidentity.WorkloadIdentityCredential.GetToken
      #13: azidentity.confidentialClient.GetToken

Vulnerability #3: GO-2024-2888
    Mishandling of corrupt central directory record in archive/zip
  More info: https://pkg.go.dev/vuln/GO-2024-2888
  Standard library
    Found in: archive/[email protected]
    Fixed in: archive/[email protected]
    Vulnerable symbols found:
      #1: zip.NewReader
      #2: zip.OpenReader

Vulnerability #4: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Vulnerable symbols found:
      #1: netip.Addr.IsGlobalUnicast
      #2: netip.Addr.IsInterfaceLocalMulticast
      #3: netip.Addr.IsLinkLocalMulticast
      #4: netip.Addr.IsLoopback
      #5: netip.Addr.IsMulticast
      #6: netip.Addr.IsPrivate

Vulnerability #5: GO-2024-2824
    Malformed DNS message can cause infinite loop in net
  More info: https://pkg.go.dev/vuln/GO-2024-2824
  Standard library
    Found in: [email protected]
    Fixed in: [email protected]
    Vulnerable symbols found:
      #1: net.Dial
      #2: net.DialTimeout
      #3: net.Dialer.Dial
      #4: net.Dialer.DialContext
      #5: net.Listen
      #6: net.ListenConfig.Listen
      #7: net.ListenConfig.ListenPacket
      #8: net.ListenPacket
      #9: net.LookupAddr
      #10: net.LookupCNAME
      #11: net.LookupHost
      #12: net.LookupIP
      #13: net.LookupMX
      #14: net.LookupNS
      #15: net.LookupSRV
      #16: net.LookupTXT
      #17: net.ResolveIPAddr
      #18: net.ResolveTCPAddr
      #19: net.ResolveUDPAddr
      #20: net.Resolver.LookupAddr
      #21: net.Resolver.LookupCNAME
      #22: net.Resolver.LookupHost
      #23: net.Resolver.LookupIP
      #24: net.Resolver.LookupIPAddr
      #25: net.Resolver.LookupMX
      #26: net.Resolver.LookupNS
      #27: net.Resolver.LookupNetIP
      #28: net.Resolver.LookupSRV
      #29: net.Resolver.LookupTXT

Vulnerability #6: GO-2022-0646
    Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/[email protected]
    Fixed in: N/A
    Vulnerable symbols found:
      #1: s3crypto.NewDecryptionClient
      #2: s3crypto.NewEncryptionClient

Your code is affected by 6 vulnerabilities from 2 modules and the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require

[reedog117]

This CVE is also still present in recently released 2.9.9

[bpfoster]

Looks like these issues are not reviewed... appears this closed in Loki versions 3.0.1 and 3.1.1

#13833
#13789