Skip to content

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Jul 6, 2022 · 2 comments
Closed

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

gopherbot opened this issue Jul 6, 2022 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.18.4

Comments

@gopherbot
Copy link
Contributor

@tatianab requested issue #53615 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022
@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.4 milestone Jul 6, 2022
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/417060 mentions this issue: [release-branch.go1.18] encoding/gob: add a depth limit for ignored fields

@gopherbot
Copy link
Contributor Author

Closed by merging fb979a5 to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@rolandshoemaker @mknyszek
[release-branch.go1.18] encoding/gob: add a depth limit for ignored f…
fb979a5 
…ields

Enforce a nesting limit of 10,000 for ignored fields during decoding
of messages. This prevents the possibility of triggering stack
exhaustion.

Fixes #53710
Updates #53615
Fixes CVE-2022-30635

Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
(cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417060
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
@mknyszek mknyszek changed the title security: fix CVE-2022-30635 [1.18 backport] encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] Jul 12, 2022
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
@rolandshoemaker @bradfitz
[release-branch.go1.18] encoding/gob: add a depth limit for ignored f…
b91eef0 
…ields

Enforce a nesting limit of 10,000 for ignored fields during decoding
of messages. This prevents the possibility of triggering stack
exhaustion.

Fixes golang#53710
Updates golang#53615
Fixes CVE-2022-30635

Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
(cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417060
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.18.4
Development

No branches or pull requests
3 participants
@mknyszek @tatianab @gopherbot