CVE-2024-1394

Upstream information

CVE-2024-1394 at MITRE

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

---

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Liberty Linux 8	delve >= 1.20.2-1.module+el8.9.0+18926+5193682d go-toolset >= 1.20.12-1.module+el8.9.0+21033+5795bdf6 golang >= 1.20.12-3.module+el8.9.0+21528+703c3aa2 golang-bin >= 1.20.12-3.module+el8.9.0+21528+703c3aa2 golang-docs >= 1.20.12-3.module+el8.9.0+21528+703c3aa2 golang-misc >= 1.20.12-3.module+el8.9.0+21528+703c3aa2 golang-src >= 1.20.12-3.module+el8.9.0+21528+703c3aa2 golang-tests >= 1.20.12-3.module+el8.9.0+21528+703c3aa2 grafana >= 9.2.10-8.el8_9 grafana-pcp >= 5.1.1-2.el8_9	Patchnames: RHSA-2024:1472 RHSA-2024:1644 RHSA-2024:1646
SUSE Liberty Linux 9	go-toolset >= 1.20.12-2.el9_3 golang >= 1.20.12-2.el9_3 golang-bin >= 1.20.12-2.el9_3 golang-docs >= 1.20.12-2.el9_3 golang-misc >= 1.20.12-2.el9_3 golang-src >= 1.20.12-2.el9_3 golang-tests >= 1.20.12-2.el9_3 grafana >= 9.2.10-8.el9_3 grafana-pcp >= 5.1.1-2.el9_3	Patchnames: RHSA-2024:1462 RHSA-2024:1501 RHSA-2024:1502

---

SUSE Timeline for this CVE

CVE page created: Wed Mar 20 19:00:16 2024
CVE page last modified: Thu Apr 11 20:37:30 2024