-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] #52037
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Mar 30, 2022
Approved for important security issue. |
cherrymui
added
CherryPickApproved
Used during the release process for point releases
and removed
CherryPickCandidate
Used during the release process for point releases
labels
Apr 6, 2022
Change https://go.dev/cl/399817 mentions this issue: |
Closed by merging 84264fc to release-branch.go1.18. |
gopherbot
pushed a commit
that referenced
this issue
Apr 12, 2022
Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates #51853 Fixes #52037 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399817 Run-TryBot: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
dmitshur
changed the title
security: fix CVE-2022-24675 [1.18 backport]
encoding/pem: stack overflow [1.18 backport]
Apr 12, 2022
dmitshur
changed the title
encoding/pem: stack overflow [1.18 backport]
encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport]
Apr 19, 2022
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
@FiloSottile requested issue #51853 to be considered for backport to the next 1.18 minor release.
The text was updated successfully, but these errors were encountered: