INFSA-2024:8038: container-tools:rhel8 security update
Information about definition
Identificator: INFSA-2024:8038
Type: security
Release date: 2024-10-23 10:30:09 UTC
Information about package
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Vulnerabilities description
- CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
- CVE-2024-34155
A flaw was found in the go/parser package of the Golang standard library. Calling any Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion.
- CVE-2024-34156
A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- CVE-2024-34158
A flaw was found in the go/build/constraint package of the Golang standard library. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2023-45290
|
no information | 5.3 | no information |
|
NIST — CVE-2024-34155
|
no information | 5.9 | no information |
|
NIST — CVE-2024-34156
|
no information | 7.5 | no information |
|
NIST — CVE-2024-34158
|
no information | 5.9 | no information |
Updated packages