encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

gopherbot · 2022-07-06T19:22:55Z

@tatianab requested issue #53615 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix

gopherbot · 2022-07-12T14:03:46Z

Change https://go.dev/cl/417060 mentions this issue: [release-branch.go1.18] encoding/gob: add a depth limit for ignored fields

gopherbot · 2022-07-12T15:07:27Z

Closed by merging fb979a5 to release-branch.go1.18.

…ields Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes #53710 Updates #53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417060 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

…ields Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes golang#53710 Updates golang#53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417060 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022

gopherbot mentioned this issue Jul 6, 2022

encoding/gob: stack exhaustion in Decoder.Decode #53615

Closed

gopherbot added this to the Go1.18.4 milestone Jul 6, 2022

tatianab added Security release-blocker labels Jul 8, 2022

gopherbot closed this as completed Jul 12, 2022

mknyszek changed the title ~~security: fix CVE-2022-30635 [1.18 backport]~~ encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] Jul 12, 2022

mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022

golang locked and limited conversation to collaborators Jul 12, 2023

gopherbot added the FrozenDueToAge label Jul 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

gopherbot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

Comments

gopherbot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022