Closed renovate[bot] closed 1 day ago
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Luap99, renovate[bot]
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Restarted. Probably going to have to get this backported.
Probably going to have to get this backported.
If a user has access to the socket then they can do much worse things than causing a oom on the podman service so I don't think it is a security problem for podman.
This PR contains the following updates:
v1.4.0
->v1.4.1
GitHub Vulnerability Alerts
CVE-2024-37298
Details
Running
schema.Decoder.Decode()
on a struct that has a field of type[]struct{...}
opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice.In the local environment environment for my project, I was able to call an endpoint like
/innocent_endpoint?arr.10000000.X=1
and freeze my system from the memory allocation while parsingr.Form
. I think this line is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess.Proof of Concept
The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions.
Impact
Any use of
schema.Decoder.Decode()
on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.Release Notes
gorilla/schema (github.com/gorilla/schema)
### [`v1.4.1`](https://togithub.com/gorilla/schema/releases/tag/v1.4.1) [Compare Source](https://togithub.com/gorilla/schema/compare/v1.4.0...v1.4.1) ### Security Release Fixes an issue where sparse slice deserialization can cause memory exhaustion CVE-2024-37298 Thanks to [@AlexVasiluta](https://togithub.com/AlexVasiluta) for the report and following responsible disclosure. **Full Changelog**: https://github.com/gorilla/schema/compare/v1.4.0...v1.4.1Configuration
š Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Never, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.