Upstream information

CVE-2024-37298 at MITRE

Description

gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

SUSE Bugzilla entry: 1227309 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 8
  • aardvark-dns >= 1.10.0-1.module+el8.10.0+22202+761b9a65
  • buildah >= 1.33.8-4.module+el8.10.0+22202+761b9a65
  • buildah-tests >= 1.33.8-4.module+el8.10.0+22202+761b9a65
  • cockpit-podman >= 84.1-1.module+el8.10.0+22202+761b9a65
  • conmon >= 2.1.10-1.module+el8.10.0+22202+761b9a65
  • container-selinux >= 2.229.0-2.module+el8.10.0+22202+761b9a65
  • containernetworking-plugins >= 1.4.0-5.module+el8.10.0+22202+761b9a65
  • containers-common >= 1-82.module+el8.10.0+22202+761b9a65
  • crit >= 3.18-5.module+el8.10.0+22202+761b9a65
  • criu >= 3.18-5.module+el8.10.0+22202+761b9a65
  • criu-devel >= 3.18-5.module+el8.10.0+22202+761b9a65
  • criu-libs >= 3.18-5.module+el8.10.0+22202+761b9a65
  • crun >= 1.14.3-2.module+el8.10.0+22202+761b9a65
  • fuse-overlayfs >= 1.13-1.module+el8.10.0+22202+761b9a65
  • libslirp >= 4.4.0-2.module+el8.10.0+22202+761b9a65
  • libslirp-devel >= 4.4.0-2.module+el8.10.0+22202+761b9a65
  • netavark >= 1.10.3-1.module+el8.10.0+22202+761b9a65
  • oci-seccomp-bpf-hook >= 1.2.10-1.module+el8.10.0+22202+761b9a65
  • podman >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • podman-catatonit >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • podman-docker >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • podman-gvproxy >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • podman-plugins >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • podman-remote >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • podman-tests >= 4.9.4-12.module+el8.10.0+22202+761b9a65
  • python3-criu >= 3.18-5.module+el8.10.0+22202+761b9a65
  • python3-podman >= 4.9.0-2.module+el8.10.0+22202+761b9a65
  • runc >= 1.1.12-4.module+el8.10.0+22202+761b9a65
  • skopeo >= 1.14.5-3.module+el8.10.0+22202+761b9a65
  • skopeo-tests >= 1.14.5-3.module+el8.10.0+22202+761b9a65
  • slirp4netns >= 1.2.3-1.module+el8.10.0+22202+761b9a65
  • toolbox >= 0.0.99.5-2.module+el8.10.0+22202+761b9a65
  • toolbox-tests >= 0.0.99.5-2.module+el8.10.0+22202+761b9a65
  • udica >= 0.2.6-21.module+el8.10.0+22202+761b9a65
Patchnames:
RHSA-2024:5258
SUSE Liberty Linux 9
  • podman >= 4.9.4-10.el9_4
  • podman-docker >= 4.9.4-10.el9_4
  • podman-plugins >= 4.9.4-10.el9_4
  • podman-remote >= 4.9.4-10.el9_4
  • podman-tests >= 4.9.4-10.el9_4
Patchnames:
RHSA-2024:6194


SUSE Timeline for this CVE

CVE page created: Mon Jul 1 22:00:57 2024
CVE page last modified: Tue Dec 3 21:57:42 2024