Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.17 backport] #53715

Closed
gopherbot opened this issue Jul 6, 2022 · 2 comments
Closed

encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.17 backport] #53715

gopherbot opened this issue Jul 6, 2022 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.17.12

Comments

@gopherbot
Copy link

@tatianab requested issue #53611 to be considered for backport to the next 1.17 minor release.

@gopherbot please open backport issues for this security fix
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022
@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot gopherbot added this to the Go1.17.12 milestone Jul 6, 2022
@gopherbot
Copy link
Author

Change https://go.dev/cl/417069 mentions this issue: [release-branch.go1.17] encoding/xml: limit depth of nesting in unmarshal

@gopherbot
Copy link
Author

Closed by merging 2678d0c to release-branch.go1.17.

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@rolandshoemaker @mknyszek
[release-branch.go1.17] encoding/xml: limit depth of nesting in unmar…
2678d0c 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes #53715
Updates #53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@mknyszek mknyszek changed the title security: fix CVE-2022-30633 [1.17 backport] encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.17 backport] Jul 12, 2022
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@rolandshoemaker @danbudris
[release-branch.go1.17] encoding/xml: limit depth of nesting in unmar…
4884ee8 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
@rolandshoemaker @danbudris
[release-branch.go1.17] encoding/xml: limit depth of nesting in unmar…
be69d5c 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
@rolandshoemaker @rcrozean
encoding/xml: limit depth of nesting in unmarshal
aeca689 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@be69d5c
Upstream Source Commit: golang@2678d0c

# Original Information

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@rolandshoemaker @rcrozean
encoding/xml: limit depth of nesting in unmarshal
56eb743 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@be69d5c
Upstream Source Commit: golang@2678d0c

# Original Information

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@rolandshoemaker @rcrozean
encoding/xml: limit depth of nesting in unmarshal
5db9ea5 
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Tue, 04 Oct 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@4884ee8
Upstream Source Commit: golang@2678d0c

# Original Information

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.17.12
Development

No branches or pull requests
3 participants
@mknyszek @tatianab @gopherbot