search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
22.4k stars 2.31k forks source link

fix(deps): update module github.com/gorilla/schema to v1.4.1 [security] #23159

Closed renovate[bot] closed 1 day ago

renovate[bot] commented 3 days ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/gorilla/schema v1.4.0 -> v1.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-37298

Details

Running schema.Decoder.Decode() on a struct that has a field of type []struct{...} opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice.

In the local environment environment for my project, I was able to call an endpoint like /innocent_endpoint?arr.10000000.X=1 and freeze my system from the memory allocation while parsing r.Form. I think this line is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess.

Proof of Concept

The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions.

package main

import (
    "fmt"

    "github.com/gorilla/schema"
)

func main() {
    dec := schema.NewDecoder()
    var result struct {
        Arr []struct{ Val int }
    }
    if err := dec.Decode(&result, map[string][]string{"arr.1000000000.Val": {"1"}}); err != nil {
        panic(err)
    }
    fmt.Printf("%#+v\n", result)
}

Impact

Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.

Release Notes

gorilla/schema (github.com/gorilla/schema) ### [`v1.4.1`](https://togithub.com/gorilla/schema/releases/tag/v1.4.1) [Compare Source](https://togithub.com/gorilla/schema/compare/v1.4.0...v1.4.1) ### Security Release Fixes an issue where sparse slice deserialization can cause memory exhaustion CVE-2024-37298 Thanks to [@​AlexVasiluta](https://togithub.com/AlexVasiluta) for the report and following responsible disclosure. **Full Changelog**: https://github.com/gorilla/schema/compare/v1.4.0...v1.4.1

Configuration

šŸ“… Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

šŸš¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.

ā™» Rebasing: Never, or you tick the rebase/retry checkbox.

šŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

openshift-ci[bot] commented 3 days ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, renovate[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/containers/podman/blob/main/OWNERS)~~ [Luap99] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
mheon commented 2 days ago

Restarted. Probably going to have to get this backported.

Luap99 commented 2 days ago

Probably going to have to get this backported.

If a user has access to the socket then they can do much worse things than causing a oom on the podman service so I don't think it is a security problem for podman.