New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.17 backport] #53715
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Jul 6, 2022
Change https://go.dev/cl/417069 mentions this issue: |
Closed by merging 2678d0c to release-branch.go1.17. |
gopherbot
pushed a commit
that referenced
this issue
Jul 12, 2022
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes #53715 Updates #53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
mknyszek
changed the title
security: fix CVE-2022-30633 [1.17 backport]
encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.17 backport]
Jul 12, 2022
mknyszek
added
the
CherryPickApproved
Used during the release process for point releases
label
Jul 12, 2022
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
Jul 12, 2022
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@be69d5c Upstream Source Commit: golang@2678d0c # Original Information Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@be69d5c Upstream Source Commit: golang@2678d0c # Original Information Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@4884ee8 Upstream Source Commit: golang@2678d0c # Original Information Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
@tatianab requested issue #53611 to be considered for backport to the next 1.17 minor release.
The text was updated successfully, but these errors were encountered: