net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

**Comments**

![@katiehockman](https://avatars.githubusercontent.com/u/28789760?s=88&u=e2750425c681d9ecc2cf44f67e82d8a7e861ad3b&v=4)

![@odeke-em](https://avatars.githubusercontent.com/u/4898263?s=60&u=71396c0dd79a0f55328aa0781c13ca5d940e6af3&v=4) odeke-em changed the title http: ReadRequest can stack overflow net/http: ReadRequest can stack overflow due to recursion with very large headers

Apr 23, 2021

gopherbot pushed a commit to golang/net that referenced this issue

Apr 28, 2021

![@katiehockman](https://avatars.githubusercontent.com/u/28789760?s=40&u=e2750425c681d9ecc2cf44f67e82d8a7e861ad3b&v=4)

…aderValuesContainsToken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Updates golang/go#45710
Updates golang/go#45712

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 89ef3d9)
Reviewed-on: https://go-review.googlesource.com/c/net/+/314649
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

gopherbot pushed a commit to golang/net that referenced this issue

Apr 28, 2021

![@katiehockman](https://avatars.githubusercontent.com/u/28789760?s=40&u=e2750425c681d9ecc2cf44f67e82d8a7e861ad3b&v=4)

…esContainsToken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Updates golang/go#45710
Updates golang/go#45711

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 89ef3d9)
Reviewed-on: https://go-review.googlesource.com/c/net/+/314650
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

AkihiroSuda pushed a commit to containerd/containerd that referenced this issue

May 7, 2021

![@tao12345666333](https://avatars.githubusercontent.com/u/3264292?s=40&v=4)

fix \[#45710\](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue

May 8, 2021

![@jacmet](https://avatars.githubusercontent.com/u/6599?s=40&u=9fe70d3f87b3e89e02b065a383742e42f37a3e16&v=4)

Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  golang/go#45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue

May 8, 2021

![@jacmet](https://avatars.githubusercontent.com/u/6599?s=40&u=9fe70d3f87b3e89e02b065a383742e42f37a3e16&v=4)

Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  golang/go#45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

dmcgowan pushed a commit to dmcgowan/containerd that referenced this issue

May 10, 2021

 ![@tao12345666333](https://avatars.githubusercontent.com/u/3264292?s=40&v=4)![@dmcgowan](https://avatars.githubusercontent.com/u/169601?s=40&v=4)

fix \[#45710\](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 79d800b)
Signed-off-by: Derek McGowan <derek@mcg.dev>

olix0r added a commit to linkerd/linkerd2 that referenced this issue

May 24, 2021

![@olix0r](https://avatars.githubusercontent.com/u/240738?s=40&u=93d91af656d51c5ae35f757a4e36c6ad8bb94866&v=4)

Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710

Go's error file-line formatting changed in 1.16.3, so this change
updates tests to only do suffix matching on these error strings.

olix0r added a commit to linkerd/linkerd2 that referenced this issue

May 24, 2021

![@olix0r](https://avatars.githubusercontent.com/u/240738?s=40&u=93d91af656d51c5ae35f757a4e36c6ad8bb94866&v=4)

Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710

Go's error file-line formatting changed in 1.16.3, so this change
updates tests to only do suffix matching on these error strings.

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue

Sep 14, 2021

![@jacmet](https://avatars.githubusercontent.com/u/6599?s=40&u=9fe70d3f87b3e89e02b065a383742e42f37a3e16&v=4)

Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  golang/go#45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1cfc01a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

thaJeztah pushed a commit to thaJeztah/containerd that referenced this issue

Sep 15, 2021

 ![@tao12345666333](https://avatars.githubusercontent.com/u/3264292?s=40&v=4)![@thaJeztah](https://avatars.githubusercontent.com/u/1804568?s=40&v=4)

fix \[#45710\](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 79d800b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

fahedouch pushed a commit to fahedouch/containerd that referenced this issue

Oct 15, 2021

 ![@tao12345666333](https://avatars.githubusercontent.com/u/3264292?s=40&v=4)![@fahedouch](https://avatars.githubusercontent.com/u/11649303?s=40&v=4)

fix \[#45710\](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

NET12115 added a commit to NET12115/Golang-C-NET that referenced this issue

Feb 28, 2022

![@NET12115](https://avatars.githubusercontent.com/u/88066112?s=40&u=01910a2b4d14b02d9d3ef852f6d47aeb61f9ecf0&v=4)

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Fixes golang/go#45710

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

CVE-2021-31525: net/http: ReadRequest can stack overflow due to recursion with very large headers · Issue #45710 · golang/go

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

**Filippo Valsorda**

unread,

May 20, 2021, 7:24:58 PM5/20/21

to golang-nuts, golang-...@googlegroups.com, golang-dev

Hello gophers,

Version v0.0.0-20210520170846-37e1c6afe023 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.

An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return.

This issue was discovered by OSS-Fuzz and reported to us by Andrew Thornton <ar...@cantab.net\>, and is tracked as CVE-2021-33194.

Cheers,  
Filippo on behalf of the Go team

CVE-2021-33194: [security] Vulnerability in golang.org/x/net/html

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.

*   
*   
*   
*   
*   
*   

**Bug 1956926** (CVE-2018-25013) - CVE-2018-25013 libwebp: out-of-bounds read in ShiftBytes()

Summary: CVE-2018-25013 libwebp: out-of-bounds read in ShiftBytes()

Keywords:

Status:

CLOSED ERRATA

Alias:

CVE-2018-25013

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

1961978 1961979 1962004 1962005 1961611 1961612

Blocks:

1940150 1956995

TreeView+

depends on / blocked

Reported:

2021-05-04 16:44 UTC by Guilherme de Almeida Suckevicz

Modified:

2021-11-10 01:54 UTC (History)

CC List:

9 users (show)

Fixed In Version:

libwebp 1.0.1

Doc Type:

If docs needed, set a value

Doc Text:

A flaw was found in libwebp. An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Clone Of:

Environment:

Last Closed:

2021-11-10 01:54:11 UTC

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Links

System

ID

Private

Priority

Status

Summary

Last Updated

Red Hat Product Errata

RHSA-2021:4231

0

None

None

None

2021-11-09 17:50:34 UTC

  

Description Guilherme de Almeida Suckevicz 2021-05-04 16:44:45 UTC

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes().

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9417

Comment 1 Riccardo Schirone 2021-05-18 10:59:33 UTC

Upstream patch:
https://chromium.googlesource.com/webm/libwebp/+/907208f97ead639bd521cf355a2f203f462eade6

Comment 7 errata-xmlrpc 2021-11-09 17:50:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4231 https://access.redhat.com/errata/RHSA-2021:4231

Comment 8 Product Security DevOps Team 2021-11-10 01:54:09 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-25013

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2018-25013: 1956926 – (CVE-2018-25013) CVE-2018-25013 libwebp: out-of-bounds read in ShiftBytes()

A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Description Guilherme de Almeida Suckevicz 2021-05-04 14:18:22 UTC

An use-after-free was found in libwebp in versions before 1.0.1 in EmitFancyRGB() in dec/io\_dec.c.

Reference:
https://bugs.chromium.org/p/webp/issues/detail?id=385

Comment 1 Riccardo Schirone 2021-05-13 10:55:14 UTC

Upstream patch:
https://chromium.googlesource.com/webm/libwebp/+/569001f19fc81fcb5ab358f587a54c62e7c4665c

Comment 4 Riccardo Schirone 2021-05-17 10:47:46 UTC

Upstream release notes:
https://chromium.googlesource.com/webm/libwebp/+/v1.0.1

Comment 9 errata-xmlrpc 2021-06-07 12:18:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2260 https://access.redhat.com/errata/RHSA-2021:2260

Comment 10 Product Security DevOps Team 2021-06-07 15:04:00 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36329

Comment 11 errata-xmlrpc 2021-06-08 22:38:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2328 https://access.redhat.com/errata/RHSA-2021:2328

Comment 12 errata-xmlrpc 2021-06-09 00:25:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2354 https://access.redhat.com/errata/RHSA-2021:2354

Comment 13 errata-xmlrpc 2021-06-09 13:32:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2365 https://access.redhat.com/errata/RHSA-2021:2365

Comment 14 errata-xmlrpc 2021-06-09 13:51:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2364 https://access.redhat.com/errata/RHSA-2021:2364

CVE-2020-36329: use-after-free in EmitFancyRGB() in dec/io_dec.c

A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Description Guilherme de Almeida Suckevicz 2021-05-04 13:59:01 UTC

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in WebPDecode\*Into functions.

Reference:
https://bugs.chromium.org/p/webp/issues/detail?id=383

Comment 1 Riccardo Schirone 2021-05-13 10:38:02 UTC

Upstream patch:
https://chromium.googlesource.com/webm/libwebp/+/dad31750e374eff8e02fb467eb562d4bf236ed6e

Comment 5 Riccardo Schirone 2021-05-17 10:47:48 UTC

Upstream release notes:
https://chromium.googlesource.com/webm/libwebp/+/v1.0.1

Comment 10 errata-xmlrpc 2021-06-07 12:18:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2260 https://access.redhat.com/errata/RHSA-2021:2260

Comment 11 Product Security DevOps Team 2021-06-07 15:03:56 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36328

Comment 12 errata-xmlrpc 2021-06-08 22:38:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2328 https://access.redhat.com/errata/RHSA-2021:2328

Comment 13 errata-xmlrpc 2021-06-09 00:25:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2354 https://access.redhat.com/errata/RHSA-2021:2354

Comment 14 errata-xmlrpc 2021-06-09 13:32:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2365 https://access.redhat.com/errata/RHSA-2021:2365

Comment 15 errata-xmlrpc 2021-06-09 13:51:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2364 https://access.redhat.com/errata/RHSA-2021:2364

CVE-2020-36328: heap-based buffer overflow in WebPDecode*Into functions

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.

*   
*   
*   
*   
*   
*   

**Bug 1956856** (CVE-2020-36331) - CVE-2020-36331 libwebp: out-of-bounds read in ChunkAssignData() in mux/muxinternal.c

Summary: CVE-2020-36331 libwebp: out-of-bounds read in ChunkAssignData() in mux/muxint...

Keywords:

Status:

CLOSED ERRATA

Alias:

CVE-2020-36331

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

1961978 1961979 1962004 1962005 1961601 1961602

Blocks:

1940150 1956995

TreeView+

depends on / blocked

Reported:

2021-05-04 14:38 UTC by Guilherme de Almeida Suckevicz

Modified:

2021-11-10 01:51 UTC (History)

CC List:

9 users (show)

Fixed In Version:

libwebp 1.0.1

Doc Type:

If docs needed, set a value

Doc Text:

A flaw was found in libwebp. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Clone Of:

Environment:

Last Closed:

2021-11-10 01:51:55 UTC

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Links

System

ID

Private

Priority

Status

Summary

Last Updated

Red Hat Product Errata

RHSA-2021:4231

0

None

None

None

2021-11-09 17:50:23 UTC

  

Description Guilherme de Almeida Suckevicz 2021-05-04 14:38:36 UTC

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ChunkAssignData() in mux/muxinternal.c.

Reference:
https://bugs.chromium.org/p/webp/issues/detail?id=388

Comment 2 Riccardo Schirone 2021-05-18 10:05:13 UTC

Upstream patch:
https://chromium.googlesource.com/webm/libwebp/+/be738c6d396fa5a272c1b209be4379a7532debfe

Comment 7 errata-xmlrpc 2021-11-09 17:50:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4231 https://access.redhat.com/errata/RHSA-2021:4231

Comment 8 Product Security DevOps Team 2021-11-10 01:51:53 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36331

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2020-36331: out-of-bounds read in ChunkAssignData() in mux/muxinternal.c

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.

*   
*   
*   
*   
*   
*   

**Bug 1956918** (CVE-2018-25010) - CVE-2018-25010 libwebp: out-of-bounds read in ApplyFilter()

Summary: CVE-2018-25010 libwebp: out-of-bounds read in ApplyFilter()

Keywords:

Status:

CLOSED ERRATA

Alias:

CVE-2018-25010

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

1961978 1961979 1962004 1962005 1961607 1961608

Blocks:

1940150 1956995

TreeView+

depends on / blocked

Reported:

2021-05-04 16:30 UTC by Guilherme de Almeida Suckevicz

Modified:

2021-11-10 01:53 UTC (History)

CC List:

9 users (show)

Fixed In Version:

libwebp 1.0.1

Doc Type:

If docs needed, set a value

Doc Text:

A flaw was found in libwebp. An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Clone Of:

Environment:

Last Closed:

2021-11-10 01:53:17 UTC

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Links

System

ID

Private

Priority

Status

Summary

Last Updated

Red Hat Product Errata

RHSA-2021:4231

0

None

None

None

2021-11-09 17:50:30 UTC

  

Description Guilherme de Almeida Suckevicz 2021-05-04 16:30:40 UTC

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter().

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9105

Comment 1 Riccardo Schirone 2021-05-18 10:54:30 UTC

Upstream patch:
https://chromium.googlesource.com/webm/libwebp/+/1344a2e947c749d231141a295327e5b99b444d63

Comment 7 errata-xmlrpc 2021-11-09 17:50:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4231 https://access.redhat.com/errata/RHSA-2021:4231

Comment 8 Product Security DevOps Team 2021-11-10 01:53:14 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-25010

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2018-25010: 1956918 – (CVE-2018-25010) CVE-2018-25010 libwebp: out-of-bounds read in ApplyFilter()

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Description Guilherme de Almeida Suckevicz 2021-05-04 16:34:55 UTC

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9123

Comment 1 Gianluca Gabrielli 2021-05-05 19:08:31 UTC

This seems to be a duplicate of 1956917

\[0\] https://bugzilla.redhat.com/show\_bug.cgi?id=1956917

Comment 3 Riccardo Schirone 2021-05-18 10:57:15 UTC

Upstream patch:
https://chromium.googlesource.com/webm/libwebp/+/95fd65070662e01cc9170c4444f5c0859a710097

Comment 5 Riccardo Schirone 2021-05-18 12:17:58 UTC

In reply to comment #1:
\> This seems to be a duplicate of 1956917
> 
> \[0\] https://bugzilla.redhat.com/show\_bug.cgi?id=1956917

Although the fix is the same, the issue seems to be in two different lines so I'd keep them separated to avoid possible confusions to others.

Comment 9 errata-xmlrpc 2021-11-09 17:50:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4231 https://access.redhat.com/errata/RHSA-2021:4231

Comment 10 Product Security DevOps Team 2021-11-10 01:53:42 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-25012

CVE-2018-25012: 1956922 – (CVE-2018-25012) CVE-2018-25012 libwebp: out-of-bounds read in WebPMuxCreateInternal()

mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.

  

**mod\_auth\_openidc**

_mod\_auth\_openidc_ is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.

**Overview**

This module enables an Apache 2.x web server to operate as an OpenID Connect _Relying Party_ (RP) towards an OpenID Connect _Provider_ (OP). It relays end user authentication to a Provider and receives user identity information from that Provider. It then passes on that identity information (a.k.a. claims) to applications protected by the Apache web server and establishes an authentication session for the identified user.

The protected content, applications and services can be hosted by the Apache server itself or served from origin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The latter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without modifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based OpenID Connect Single Sign On (SSO).

By default the module sets the REMOTE_USER variable to the id_token [sub] claim, concatenated with the OP's Issuer identifier ([sub]@[iss]). Other id_token claims are passed in HTTP headers and/or environment variables together with those (optionally) obtained from the UserInfo endpoint. The provided HTTP headers and environment variables can be consumed by applications protected by the Apache server.

Custom fine-grained authorization rules - based on Apache's Require primitives - can be specified to match against the set of claims provided in the id_token/ userinfo claims, see here. Clustering for resilience and performance can be configured using one of the supported cache backends options as listed here.

For an exhaustive description of all configuration options, see the file auth_openidc.conf. This file can also serve as an include file for httpd.conf.

**Interoperability**

_mod\_auth\_openidc_ is OpenID Certified™ and supports the following specifications:

*   OpenID Connect Core 1.0 _(Basic, Implicit, Hybrid and Refresh flows)_
*   OpenID Connect Discovery 1.0
*   OpenID Connect Dynamic Client Registration 1.0
*   OAuth 2.0 Multiple Response Type Encoding Practices 1.0
*   OAuth 2.0 Form Post Response Mode 1.0
*   RFC7 7636 - Proof Key for Code Exchange by OAuth Public Clients
*   OpenID Connect Session Management 1.0 _see the Wiki for information on how to configure it)_
*   OpenID Connect Front-Channel Logout 1.0
*   OpenID Connect Back-Channel Logout 1.0

**Support****Community**

Documentation can be found at the Wiki (including Frequently Asked Questions) at:  
https://github.com/OpenIDC/mod\_auth\_openidc/wiki  
For questions, issues and suggestions use the Github Discussions forum at:  
https://github.com/OpenIDC/mod\_auth\_openidc/discussions

**Commercial**

For commercial support contracts, professional services, training and use-case specific support please contact:  
sales@openidc.com

**How to Use It****OpenID Connect SSO with Google+ Sign-In**

Sample configuration for using Google as your OpenID Connect Provider running on www.example.com and https://www.example.com/example/redirect_uri registered as the _redirect\_uri_ for the client through the Google API Console. You will also have to enable the Google+ API under APIs & auth in the Google API console.

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <your\-client-id-administered-through-the-google-api-console>
OIDCClientSecret <your\-client-secret-administered-through-the-google-api-console>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://www.example.com/example/redirect\_uri
OIDCCryptoPassphrase <password\>

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location\>

Note if you want to securely restrict logins to a specific Google Apps domain you would not only add the hd=<your-domain> setting to the OIDCAuthRequestParams primitive for skipping the Google Account Chooser screen, but you must also ask for the email scope using OIDCScope and use a Require claim authorization setting in the Location primitive similar to:

OIDCScope "openid email"
Require claim hd:<your\-domain>

The above is an authorization example of an exact match of a provided claim against a string value. For more authorization options see the Wiki page on Authorization.

**Quickstart with a generic OpenID Connect Provider**

1.  install and load mod_auth_openidc.so in your Apache server
2.  configure your protected content/locations with AuthType openid-connect
3.  set OIDCRedirectURI to a "vanity" URL within a location that is protected by mod\_auth\_openidc
4.  register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in OIDCClientID and OIDCClientSecret respectively
5.  and register the OIDCRedirectURI as the Redirect or Callback URI with your client at the Provider
6.  configure OIDCProviderMetadataURL so it points to the Discovery metadata of your OpenID Connect Provider served on the .well-known/openid-configuration endpoint
7.  configure a random password in OIDCCryptoPassphrase for session/state encryption purposes

LoadModule auth\_openidc\_module modules/mod\_auth\_openidc.so

OIDCProviderMetadataURL <issuer\>/.well-known/openid-configuration
OIDCClientID <client\_id>
OIDCClientSecret <client\_secret>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<hostname\>/secure/redirect\_uri
OIDCCryptoPassphrase <password\>

<Location /secure>
   AuthType openid-connect
   Require valid-user
</Location\>

For details on configuring multiple providers see the Wiki.

**Quickstart for Other Providers**

See the Wiki for configuration docs for other OpenID Connect Providers:

*   GLUU Server
*   Keycloak
*   Azure AD
*   Sign in with Apple
*   Curity Identity Server
*   LemonLDAP::NG
*   GitLab
*   Globus and more

**Disclaimer**

_This software is open sourced by OpenIDC, subsidiary of ZmartZone Holding B.V. For commercial services you can contact OpenIDC as described above in the Support section._

CVE-2021-20718: GitHub - OpenIDC/mod_auth_openidc: OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x

![Build Status](https://github.com/zmartzone/mod_auth_openidc/actions/workflows/build.yml/badge.svg) ![OpenID Certification](https://camo.githubusercontent.com/c0acb0e22a4279d0e525b3b619895587fa25b2b31967ff56b07736887aa51fbd/687474703a2f2f6f70656e69642e6e65742f776f726470726573732d636f6e74656e742f75706c6f6164732f323031362f30352f6f69642d6c2d63657274696669636174696f6e2d6d61726b2d6c2d636d796b2d3135306470692d39306d6d2e6a7067) ![Architectures Status](https://github.com/zmartzone/mod_auth_openidc/actions/workflows/archs.yml/badge.svg) ![CodeQL Analysis](https://github.com/zmartzone/mod_auth_openidc/actions/workflows/codeql-analysis.yml/badge.svg) ![Code Quality: Cpp](https://camo.githubusercontent.com/4c45c07b759514e8133324d00aeead716f5dc7ef19d8d937d8643f0ed9843150/68747470733a2f2f696d672e736869656c64732e696f2f6c67746d2f67726164652f6370702f672f7a6d6172747a6f6e652f6d6f645f617574685f6f70656e6964632e7376673f6c6f676f3d6c67746d266c6f676f57696474683d3138) ![Total Alerts](https://camo.githubusercontent.com/738d2003fa81b37f21b9a22fa2a5f0db03c821fd79ca48d63dc325b4bc2efa4a/68747470733a2f2f696d672e736869656c64732e696f2f6c67746d2f616c657274732f672f7a6d6172747a6f6e652f6d6f645f617574685f6f70656e6964632e7376673f6c6f676f3d6c67746d266c6f676f57696474683d3138)

**mod\_auth\_openidc**

_mod\_auth\_openidc_ is a certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.

**Overview**

This module enables an Apache 2.x web server to operate as an OpenID Connect _Relying Party_ (RP) towards an OpenID Connect _Provider_ (OP). It relays end user authentication to a Provider and receives user identity information from that Provider. It then passes on that identity information (a.k.a. claims) to applications protected by the Apache web server and establishes an authentication session for the identified user.

The protected content, applications and services can be hosted by the Apache server itself or served from origin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The latter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without modifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based OpenID Connect Single Sign On (SSO).

By default the module sets the `REMOTE_USER` variable to the `id_token` `[sub]` claim, concatenated with the OP's Issuer identifier (`[sub]@[iss]`). Other `id_token` claims are passed in HTTP headers and/or environment variables together with those (optionally) obtained from the UserInfo endpoint. The provided HTTP headers and environment variables can be consumed by applications protected by the Apache server.

Custom fine-grained authorization rules - based on Apache's `Require` primitives - can be specified to match against the set of claims provided in the `id_token`/ `userinfo` claims, see here. Clustering for resilience and performance can be configured using one of the supported cache backends options as listed here.

For an exhaustive description of all configuration options, see the file `auth_openidc.conf`. This file can also serve as an include file for `httpd.conf`.

**Interoperability**

_mod\_auth\_openidc_ is OpenID Connect certified and supports the following specifications:

*   OpenID Connect Core 1.0 _(Basic, Implicit, Hybrid and Refresh flows)_
*   OpenID Connect Discovery 1.0
*   OpenID Connect Dynamic Client Registration 1.0
*   OAuth 2.0 Multiple Response Type Encoding Practices 1.0
*   OAuth 2.0 Form Post Response Mode 1.0
*   RFC7 7636 - Proof Key for Code Exchange by OAuth Public Clients
*   OpenID Connect Session Management 1.0 _(implementers draft; see the Wiki for information on how to configure it)_
*   OpenID Connect Front-Channel Logout 1.0 _(implementers draft)_
*   OpenID Connect Back-Channel Logout 1.0 _(implementers draft)_

**Support****Community**

Documentation can be found at the Wiki (including Frequently Asked Questions) at:  
https://github.com/zmartzone/mod\_auth\_openidc/wiki  
For questions, issues and suggestions use the Github Discussions forum at:  
https://github.com/zmartzone/mod\_auth\_openidc/discussions

**Commercial**

For commercial support contracts, professional services, training and use-case specific support please contact:  
sales@zmartzone.eu

**How to Use It****OpenID Connect SSO with Google+ Sign-In**

Sample configuration for using Google as your OpenID Connect Provider running on `www.example.com` and `https://www.example.com/example/redirect_uri` registered as the _redirect\_uri_ for the client through the Google API Console. You will also have to enable the `Google+ API` under `APIs & auth` in the Google API console.

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <your\-client-id-administered-through-the-google-api-console>
OIDCClientSecret <your\-client-secret-administered-through-the-google-api-console>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://www.example.com/example/redirect\_uri
OIDCCryptoPassphrase <password\>

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location\>

Note if you want to securely restrict logins to a specific Google Apps domain you would not only add the `hd=<your-domain>` setting to the `OIDCAuthRequestParams` primitive for skipping the Google Account Chooser screen, but you must also ask for the `email` scope using `OIDCScope` and use a `Require claim` authorization setting in the `Location` primitive similar to:

OIDCScope "openid email"
Require claim hd:<your\-domain>

The above is an authorization example of an exact match of a provided claim against a string value. For more authorization options see the Wiki page on Authorization.

**Quickstart with a generic OpenID Connect Provider**

1.  install and load `mod_auth_openidc.so` in your Apache server
2.  configure your protected content/locations with `AuthType openid-connect`
3.  set `OIDCRedirectURI` to a "vanity" URL within a location that is protected by mod\_auth\_openidc
4.  register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in `OIDCClientID` and `OIDCClientSecret` respectively
5.  and register the `OIDCRedirectURI` as the Redirect or Callback URI with your client at the Provider
6.  configure `OIDCProviderMetadataURL` so it points to the Discovery metadata of your OpenID Connect Provider served on the `.well-known/openid-configuration` endpoint
7.  configure a random password in `OIDCCryptoPassphrase` for session/state encryption purposes

LoadModule auth\_openidc\_module modules/mod\_auth\_openidc.so

OIDCProviderMetadataURL <issuer\>/.well-known/openid-configuration
OIDCClientID <client\_id>
OIDCClientSecret <client\_secret>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<hostname\>/secure/redirect\_uri
OIDCCryptoPassphrase <password\>

<Location /secure>
   AuthType openid-connect
   Require valid-user
</Location\>

For details on configuring multiple providers see the Wiki.

**Quickstart for Other Providers**

See the Wiki for configuration docs for other OpenID Connect Providers:

*   GLUU Server
*   Keycloak
*   Azure AD
*   Sign in with Apple
*   Curity Identity Server
*   LemonLDAP::NG
*   GitLab
*   Globus and more

**Disclaimer**

_This software is open sourced by ZmartZone IAM. For commercial services you can contact ZmartZone IAM as described above in the Support section._

Tag

#google