Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

math/big: Rat.SetString may consume large amount of RAM and crash [1.17 backport] #50701

Closed
gopherbot opened this issue Jan 19, 2022 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone

Comments

@gopherbot
Copy link

@katiehockman requested issue #50699 to be considered for backport to the next 1.17 minor release.

@gopherbot please backport to 1.17 and 1.16 as this is a security issue.

@gopherbot
Copy link
Author

Change https://golang.org/cl/381336 mentions this issue: [release-branch.go1.17] math/big: prevent overflow in (*Rat).SetString

@dmitshur
Copy link
Contributor

Approving as a fix to a security issue. This backport applies to both 1.17 (this issue) and 1.16 (#50700).

@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 28, 2022
@gopherbot
Copy link
Author

Closed by merging 539d430 to release-branch.go1.17.

gopherbot pushed a commit that referenced this issue Jan 28, 2022
Credit to rsc@ for the original patch.

Thanks to the OSS-Fuzz project for discovering this
issue and to Emmanuel Odeke (@odeke_et) for reporting it.

Updates #50699
Fixes #50701
Fixes CVE-2022-23772

Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/379537
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
(cherry picked from commit ad345c2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/381336
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@golang golang locked and limited conversation to collaborators Jan 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Development

No branches or pull requests

3 participants