CVE-2024-1394

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1394

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1394.json

Aliases

• GHSA-78hx-gp6g-7mj6
• GO-2024-2660

Related

• ALSA-2024:1462
• ALSA-2024:1472
• ALSA-2024:1501
• ALSA-2024:1502
• ALSA-2024:1644
• ALSA-2024:1646
• ALSA-2024:2562
• ALSA-2024:2568
• ALSA-2024:2569
• RLSA-2024:1472
• RLSA-2024:1502
• RLSA-2024:1644
• RLSA-2024:1646
• RLSA-2024:2562
• RLSA-2024:2568
• RLSA-2024:2569

Published

2024-03-21T13:00:08Z

Modified

2024-05-14T13:08:36.344941Z

Summary

[none]

Details

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

References

• https://access.redhat.com/errata/RHSA-2024:1462
• https://access.redhat.com/errata/RHSA-2024:1468
• https://access.redhat.com/errata/RHSA-2024:1472
• https://access.redhat.com/errata/RHSA-2024:1501
• https://access.redhat.com/errata/RHSA-2024:1502
• https://access.redhat.com/errata/RHSA-2024:1561
• https://access.redhat.com/errata/RHSA-2024:1563
• https://access.redhat.com/errata/RHSA-2024:1566
• https://access.redhat.com/errata/RHSA-2024:1567
• https://access.redhat.com/errata/RHSA-2024:1574
• https://access.redhat.com/errata/RHSA-2024:1640
• https://access.redhat.com/errata/RHSA-2024:1644
• https://access.redhat.com/errata/RHSA-2024:1646
• https://access.redhat.com/errata/RHSA-2024:1763
• https://access.redhat.com/errata/RHSA-2024:1897
• https://access.redhat.com/errata/RHSA-2024:2562
• https://access.redhat.com/errata/RHSA-2024:2568
• https://access.redhat.com/errata/RHSA-2024:2569
• https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
• https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
• https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
• https://bugzilla.redhat.com/show_bug.cgi?id=2262921
• https://access.redhat.com/security/cve/CVE-2024-1394
• https://pkg.go.dev/vuln/GO-2024-2660
• https://vuln.go.dev/ID/GO-2024-2660.json