Upstream information
CVE-2024-37298 at MITRE
Description
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
SUSE Bugzilla entry:
1227309 [NEW]
SUSE Security Advisories:
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Liberty Linux 8 | aardvark-dns >= 1.10.0-1.module+el8.10.0+22202+761b9a65
buildah >= 1.33.8-4.module+el8.10.0+22202+761b9a65
buildah-tests >= 1.33.8-4.module+el8.10.0+22202+761b9a65
cockpit-podman >= 84.1-1.module+el8.10.0+22202+761b9a65
conmon >= 2.1.10-1.module+el8.10.0+22202+761b9a65
container-selinux >= 2.229.0-2.module+el8.10.0+22202+761b9a65
containernetworking-plugins >= 1.4.0-5.module+el8.10.0+22202+761b9a65
containers-common >= 1-82.module+el8.10.0+22202+761b9a65
crit >= 3.18-5.module+el8.10.0+22202+761b9a65
criu >= 3.18-5.module+el8.10.0+22202+761b9a65
criu-devel >= 3.18-5.module+el8.10.0+22202+761b9a65
criu-libs >= 3.18-5.module+el8.10.0+22202+761b9a65
crun >= 1.14.3-2.module+el8.10.0+22202+761b9a65
fuse-overlayfs >= 1.13-1.module+el8.10.0+22202+761b9a65
libslirp >= 4.4.0-2.module+el8.10.0+22202+761b9a65
libslirp-devel >= 4.4.0-2.module+el8.10.0+22202+761b9a65
netavark >= 1.10.3-1.module+el8.10.0+22202+761b9a65
oci-seccomp-bpf-hook >= 1.2.10-1.module+el8.10.0+22202+761b9a65
podman >= 4.9.4-12.module+el8.10.0+22202+761b9a65
podman-catatonit >= 4.9.4-12.module+el8.10.0+22202+761b9a65
podman-docker >= 4.9.4-12.module+el8.10.0+22202+761b9a65
podman-gvproxy >= 4.9.4-12.module+el8.10.0+22202+761b9a65
podman-plugins >= 4.9.4-12.module+el8.10.0+22202+761b9a65
podman-remote >= 4.9.4-12.module+el8.10.0+22202+761b9a65
podman-tests >= 4.9.4-12.module+el8.10.0+22202+761b9a65
python3-criu >= 3.18-5.module+el8.10.0+22202+761b9a65
python3-podman >= 4.9.0-2.module+el8.10.0+22202+761b9a65
runc >= 1.1.12-4.module+el8.10.0+22202+761b9a65
skopeo >= 1.14.5-3.module+el8.10.0+22202+761b9a65
skopeo-tests >= 1.14.5-3.module+el8.10.0+22202+761b9a65
slirp4netns >= 1.2.3-1.module+el8.10.0+22202+761b9a65
toolbox >= 0.0.99.5-2.module+el8.10.0+22202+761b9a65
toolbox-tests >= 0.0.99.5-2.module+el8.10.0+22202+761b9a65
udica >= 0.2.6-21.module+el8.10.0+22202+761b9a65
| Patchnames: RHSA-2024:5258 |
SUSE Liberty Linux 9 | podman >= 4.9.4-10.el9_4
podman-docker >= 4.9.4-10.el9_4
podman-plugins >= 4.9.4-10.el9_4
podman-remote >= 4.9.4-10.el9_4
podman-tests >= 4.9.4-10.el9_4
| Patchnames: RHSA-2024:6194 |
SUSE Timeline for this CVE
CVE page created: Mon Jul 1 22:00:57 2024
CVE page last modified: Tue Dec 3 21:57:42 2024