CVE-2022-41715

Name	CVE-2022-41715
Description	Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang (PTS)	jessie, jessie (lts)	2:1.3.3-1+deb8u5	vulnerable
golang-1.11 (PTS)	buster (security), buster, buster (lts)	1.11.6-1+deb10u7	vulnerable
golang-1.15 (PTS)	bullseye	1.15.15-1~deb11u4	vulnerable
golang-1.19 (PTS)	bookworm	1.19.8-2	fixed
golang-1.7 (PTS)	stretch (security), stretch (lts), stretch	1.7.4-2+deb9u5	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
golang	source	(unstable)	(unfixed)
golang-1.11	source	(unstable)	(unfixed)
golang-1.15	source	(unstable)	(unfixed)
golang-1.17	unknown	(unstable)	(unfixed)
golang-1.18	source	(unstable)	1.18.7-1
golang-1.19	source	(unstable)	1.19.2-1
golang-1.7	source	(unstable)	(unfixed)

Notes

[bullseye] - golang-1.15 <no-dsa> (Minor issue)
[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
https://go.dev/issue/55949
https://github.com/golang/go/commit/645abfe529dc325e16daa17210640c2907d1c17a (go1.19.2)
https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 (go1.18.7)
[jessie] - golang <postponed> (Limited support, follow DLAs)
[stretch] - golang-1.7 <postponed> (Limited support, follow DLAs)