Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] #52037

Closed
gopherbot opened this issue Mar 30, 2022 · 3 comments
Closed

encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] #52037

gopherbot opened this issue Mar 30, 2022 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@FiloSottile requested issue #51853 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 30, 2022
@gopherbot gopherbot added this to the Go1.18.1 milestone Mar 30, 2022
@cherrymui
Copy link
Member

Approved for important security issue.

@cherrymui cherrymui added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Apr 6, 2022
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/399817 mentions this issue: [release-branch.go1.18] encoding/pem: fix stack overflow in Decode

@gopherbot
Copy link
Contributor Author

Closed by merging 84264fc to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue Apr 12, 2022
Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates #51853
Fixes #52037

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399817
Run-TryBot: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
@dmitshur dmitshur changed the title security: fix CVE-2022-24675 [1.18 backport] encoding/pem: stack overflow [1.18 backport] Apr 12, 2022
@dmitshur dmitshur changed the title encoding/pem: stack overflow [1.18 backport] encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] Apr 19, 2022
@golang golang locked and limited conversation to collaborators Apr 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Development

No branches or pull requests

3 participants