Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] #52037

Closed
gopherbot opened this issue Mar 30, 2022 · 3 comments
Closed

encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] #52037

gopherbot opened this issue Mar 30, 2022 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.18.1

Comments

@gopherbot
Copy link

@FiloSottile requested issue #51853 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 30, 2022
@gopherbot gopherbot mentioned this issue Mar 30, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.1 milestone Mar 30, 2022
@cherrymui
Copy link
Member

Approved for important security issue.

@cherrymui cherrymui added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Apr 6, 2022
@gopherbot
Copy link
Author

Change https://go.dev/cl/399817 mentions this issue: [release-branch.go1.18] encoding/pem: fix stack overflow in Decode

@gopherbot
Copy link
Author

Closed by merging 84264fc to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue Apr 12, 2022
@julieqiu @dmitshur
[release-branch.go1.18] encoding/pem: fix stack overflow in Decode
84264fc 
Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates #51853
Fixes #52037

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399817
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@dmitshur dmitshur changed the title security: fix CVE-2022-24675 [1.18 backport] encoding/pem: stack overflow [1.18 backport] Apr 12, 2022
@thaJeztah thaJeztah mentioned this issue Apr 19, 2022
Closed
@dmitshur dmitshur changed the title encoding/pem: stack overflow [1.18 backport] encoding/pem: stack overflow (CVE-2022-24675) [1.18 backport] Apr 19, 2022
@golang golang locked and limited conversation to collaborators Apr 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.18.1
Development

No branches or pull requests
3 participants
@FiloSottile @gopherbot @cherrymui