Control: severity -1 grave Hi,
On Fri, Dec 01, 2023 at 10:38:32PM +0100, Salvatore Bonaccorso wrote: > Source: golang-github-go-resty-resty > Version: 2.10.0-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/go-resty/resty/pull/745 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for golang-github-go-resty-resty. > > CVE-2023-45286[0]: > | A race condition in go-resty can result in HTTP request body > | disclosure across requests. This condition can be triggered by > | calling sync.Pool.Put with the same *bytes.Buffer more than once, > | when request retries are enabled and a retry occurs. The call to > | sync.Pool.Get will then return a bytes.Buffer that hasn't had > | bytes.Buffer.Reset called on it. This dirty buffer will contain the > | HTTP request body from an unrelated request, and go-resty will > | append the current HTTP request body to it, sending two bodies in > | one request. The sync.Pool in question is defined at package level > | scope, so a completely unrelated server could receive the request > | body. There is a fix upstream at https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471e can we have a targeted fix to land in trixie? For bookworm and older we marked it no-dsa but I think it would be sensible to try to make it for trixie regularly (raising the severity for that to RC). Regards, Salvatore
