Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS2-2023-1913

Related Vulnerabilities: CVE-2022-2879   CVE-2022-41715   CVE-2022-41716  

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879) Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. (CVE-2022-41715) Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string A=Bx00C=D sets the variables A=B and C=D. (CVE-2022-41716)

Source

ALAS2-2023-1913

Amazon Linux 2 Security Advisory: ALAS-2023-1913
Advisory Release Date: 2023-01-18 00:17 Pacific
Advisory Updated Date: 2023-01-20 23:16 Pacific
Severity: Important
Issue Overview:

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. (CVE-2022-41715)

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string A=Bx00C=D sets the variables A=B and C=D. (CVE-2022-41716)


Affected Packages:

golist


Issue Correction:
Run yum update golist to update your system.

New Packages:
aarch64:
    golist-0.10.1-10.amzn2.0.2.aarch64
    golist-debuginfo-0.10.1-10.amzn2.0.2.aarch64

src:
    golist-0.10.1-10.amzn2.0.2.src

x86_64:
    golist-0.10.1-10.amzn2.0.2.x86_64
    golist-debuginfo-0.10.1-10.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2022-2879, CVE-2022-41715, CVE-2022-41716

Mitre: CVE-2022-2879, CVE-2022-41715, CVE-2022-41716

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started