Control: severity -1 grave
Hi,
On Fri, Dec 01, 2023 at 10:38:32PM +0100, Salvatore Bonaccorso wrote:
Source: golang-github-go-resty-resty
Version: 2.10.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/go-resty/resty/pull/745
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for golang-github-go-resty-resty.
CVE-2023-45286[0]:
| A race condition in go-resty can result in HTTP request body
| disclosure across requests. This condition can be triggered by
| calling sync.Pool.Put with the same *bytes.Buffer more than once,
| when request retries are enabled and a retry occurs. The call to
| sync.Pool.Get will then return a bytes.Buffer that hasn't had
| bytes.Buffer.Reset called on it. This dirty buffer will contain the
| HTTP request body from an unrelated request, and go-resty will
| append the current HTTP request body to it, sending two bodies in
| one request. The sync.Pool in question is defined at package level
| scope, so a completely unrelated server could receive the request
| body.
There is a fix upstream at
https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471e
can we have a targeted fix to land in trixie? For bookworm and
older we marked it no-dsa but I think it would be sensible to try to
make it for trixie regularly (raising the severity for that to RC).
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)