net: Lookup functions may return invalid host names #46241
Comments
|
Change https://golang.org/cl/320949 mentions this issue: |
dmitshur
added
the
NeedsFix
|
@dmitshur this will be backported to 1.16 and 1.15 for the upcoming minor releases (targeted to June 1 as well), so if all goes according to plan, it should be merged before the 1.17 beta anyway. |
|
@katiehockman If I understand correctly, your comment is suggesting that it would be safe to apply both |
|
@dmitshur yes that sounds right. @rolandshoemaker can correct me if I'm wrong there. |
dmitshur
added
okay-after-beta1
|
Thanks. I applied those labels here and in #46242. Please make changes if needed (e.g., you can remove okay-after-beta1 if we shouldn't release Go 1.17 Beta 1 without this fix). Having these labels helps ensure release tooling will not stay quietl if something doesn't go as originally anticipated, so @rolandshoemaker please feel free to apply them as needed when filing issues in the future. |
|
@gopherbot please consider this for backport to 1.15 and 1.16 as this is a security issue. |
|
Backport issue(s) opened: #46356 (for 1.15), #46357 (for 1.16). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
|
Change https://golang.org/cl/322230 mentions this issue: |
|
Change https://golang.org/cl/322231 mentions this issue: |
|
Change https://golang.org/cl/323013 mentions this issue: |
|
Change https://golang.org/cl/323131 mentions this issue: |
For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr check that the returned domain names are in fact valid DNS names using the existing isDomainName function. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. Fixes #46241 Fixes CVE-2021-33195 Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
|
Change https://golang.org/cl/323269 mentions this issue: |
|
Change https://golang.org/cl/323270 mentions this issue: |
…main names For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr check that the returned domain names are in fact valid DNS names using the existing isDomainName function. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. Updates #46241 Fixes #46357 Fixes CVE-2021-33195 Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> (cherry picked from commit cdcd028) Reviewed-on: https://go-review.googlesource.com/c/go/+/323270
…main names For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr check that the returned domain names are in fact valid DNS names using the existing isDomainName function. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. Updates #46241 Fixes #46356 Fixes CVE-2021-33195 Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> (cherry picked from commit cdcd028) Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
go1.15.13 (released 2021-06-03) includes security fixes to the archive/zip, math/big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the math/big and net/http packages. See the Go 1.15.13 milestone on our issue tracker for details. The SetString and UnmarshalText methods of math/big.Rat <https://pkg.go.dev/math/big#Rat> may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. This is issue <golang/go#44910> and CVE-2021-33198. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. ReverseProxy in net/http/httputil <https://pkg.go.dev/net/http/httputil> could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. This is issue <golang/go#46313> and CVE-2021-33197. Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for reporting this issue. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net <https://pkg.go.dev/net>, and their respective methods on the Resolver <https://pkg.go.dev/net#Resolver> type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 <https://datatracker.ietf.org/doc/html/rfc1035>rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. This is issue <golang/go#46241> and CVE-2021-33195. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. The NewReader and OpenReader functions in archive/zip <https://pkg.go.dev/archive/zip> can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is issue <https://github.com/golang/go/issues/46242>and CVE-2021-33196. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.
go1.16.5 (released 2021-06-03) includes security fixes to the archive/zip, math /big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the net/http package. See the Go 1.16.5 milestone on our issue tracker for details. The SetString and UnmarshalText methods of math/big.Rat <https://pkg.go.dev/math/big#Rat> may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. This is issue <golang/go#44910> and CVE-2021-33198. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. ReverseProxy in net/http/httputil <https://pkg.go.dev/net/http/httputil> could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. This is issue <golang/go#46313> and CVE-2021-33197. Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for reporting this issue. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net <https://pkg.go.dev/net>, and their respective methods on the Resolver <https://pkg.go.dev/net#Resolver> type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 <https://datatracker.ietf.org/doc/html/rfc1035>rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. This is issue <golang/go#46241> and CVE-2021-33195. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. The NewReader and OpenReader functions in archive/zip <https://pkg.go.dev/archive/zip> can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is issue <https://github.com/golang/go/issues/46242>and CVE-2021-33196. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.
|
Change https://golang.org/cl/332549 mentions this issue: |
Instead of hard failing on a single bad record, filter the bad records and return anything valid. This only applies to the methods which can return multiple records, LookupMX, LookupNS, LookupSRV, and LookupAddr. When bad results are filtered out, also return an error, indicating that this filtering has happened. Updates #46241 Fixes #46979 Change-Id: I6493e0002beaf89f5a9795333a93605abd30d171 Reviewed-on: https://go-review.googlesource.com/c/go/+/332549 Trust: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
Change https://golang.org/cl/333330 mentions this issue: |
|
Change https://golang.org/cl/333331 mentions this issue: |
…nstead of hard failing Instead of hard failing on a single bad record, filter the bad records and return anything valid. This only applies to the methods which can return multiple records, LookupMX, LookupNS, LookupSRV, and LookupAddr. When bad results are filtered out, also return an error, indicating that this filtering has happened. Updates #46241 Updates #46979 Fixes #46999 Change-Id: I6493e0002beaf89f5a9795333a93605abd30d171 Reviewed-on: https://go-review.googlesource.com/c/go/+/332549 Trust: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> (cherry picked from commit 296ddf2) Reviewed-on: https://go-review.googlesource.com/c/go/+/333330 Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org>
…nstead of hard failing Instead of hard failing on a single bad record, filter the bad records and return anything valid. This only applies to the methods which can return multiple records, LookupMX, LookupNS, LookupSRV, and LookupAddr. When bad results are filtered out, also return an error, indicating that this filtering has happened. Updates #46241 Updates #46979 Fixes #47012 Change-Id: I6493e0002beaf89f5a9795333a93605abd30d171 Reviewed-on: https://go-review.googlesource.com/c/go/+/332549 Trust: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> (cherry picked from commit 296ddf2) Reviewed-on: https://go-review.googlesource.com/c/go/+/333331 Run-TryBot: Roland Shoemaker <roland@golang.org>
The
net.Lookup{Addr,CNAME,Host}functions don't do any filtering of returned host name string types when using the pure Go resolver, allowing for invalid names to be returned to the caller. If the caller expects these names to be valid they may use them in an unsanitized context, allowing for injection of unexpected content. Depending on the implementation, the cgo resolver may do some level of filtering, for instance the glibc implementation ofgetaddrinfodoes impose its own filtering.The simple approach to this is to check returned names with the existing
isDomainNamefunction, which applies RFC 1035 LDH rules (as well as allowing underscores for SRV style names), and failing out if the returned names are not considered proper. This should mostly match glibc behavior. In order to avoid diverging behavior across implementations, the check should probably be done at theResolverlevel, rather than just in the pure GoLookup...implementations.This is CVE-2021-33195.
The text was updated successfully, but these errors were encountered: