-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/pem: stack overflow #51853
Comments
@gopherbot please open backport issues for this security fix. |
Backport issue(s) opened: #52036 (for 1.17), #52037 (for 1.18). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/399816 mentions this issue: |
Change https://go.dev/cl/399817 mentions this issue: |
Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates #51853 Fixes #52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates #51853 Fixes #52037 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399817 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Change https://go.dev/cl/399820 mentions this issue: |
Bump go to 1.18.1 Fixes: - [CVE-2022-24675](golang/go#51853) - [CVE-2022-28327](golang/go#52075) - [CVE-2022-27536](golang/go#51759) Signed-off-by: Noel Georgi <[email protected]>
Bump go to 1.17.9 Fixes: - [CVE-2022-24675](golang/go#51853) - [CVE-2022-28327](golang/go#52075) - [CVE-2022-27536](golang/go#51759) Signed-off-by: Noel Georgi <[email protected]>
Bump go to 1.17.9 Fixes: - [CVE-2022-24675](golang/go#51853) - [CVE-2022-28327](golang/go#52075) - [CVE-2022-27536](golang/go#51759) Update zlib download url's to use proper ones Signed-off-by: Noel Georgi <[email protected]>
Bump go to 1.17.9 Fixes: - [CVE-2022-24675](golang/go#51853) - [CVE-2022-28327](golang/go#52075) - [CVE-2022-27536](golang/go#51759) Update zlib download url's to use proper ones Signed-off-by: Noel Georgi <[email protected]>
Bump go to 1.18.1 Fixes: - [CVE-2022-24675](golang/go#51853) - [CVE-2022-28327](golang/go#52075) - [CVE-2022-27536](golang/go#51759) Also update zlib download url's Signed-off-by: Noel Georgi <[email protected]>
Bump go to 1.18.1 Fixes: - [CVE-2022-24675](golang/go#51853) - [CVE-2022-28327](golang/go#52075) - [CVE-2022-27536](golang/go#51759) Also update zlib download url's Signed-off-by: Noel Georgi <[email protected]>
Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates golang#51853 Fixes golang#52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates golang#51853 Fixes golang#52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: [email protected] Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@b3af1d2 Upstream Source Commit: golang@2116d60 # Original Information Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates golang#51853 Fixes golang#52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: [email protected] Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@b3af1d2 Upstream Source Commit: golang@2116d60 # Original Information Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates golang#51853 Fixes golang#52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: [email protected] Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@228f3af Upstream Source Commit: golang@2116d60 # Original Information Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates golang#51853 Fixes golang#52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.
Thanks to Juho Nurminen of Mattermost who reported the error.
This is CVE-2022-24675.
(This was a PRIVATE issue tracked in http://b/216105673 and fixed by http://tg/1391157.)
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: