path/filepath: stack exhaustion in Glob (CVE-2022-30632) [1.17 backport] #53713
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
|
Change https://go.dev/cl/417073 mentions this issue: |
|
Closed by merging 76f8b73 to release-branch.go1.17. |
gopherbot
pushed a commit
that referenced
this issue
Jul 12, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes #53713 Updates #53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
mknyszek
changed the title
mknyszek
added
the
CherryPickApproved
gopherbot
removed
the
CherryPickCandidate
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 12, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@7781521 Upstream Source Commit: golang@76f8b73 # Original Information A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@7781521 Upstream Source Commit: golang@76f8b73 # Original Information A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@d62c78c Upstream Source Commit: golang@76f8b73 # Original Information A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@tatianab requested issue #53416 to be considered for backport to the next 1.17 minor release.
The text was updated successfully, but these errors were encountered: