Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.18 backport] #53716

Closed
gopherbot opened this issue Jul 6, 2022 · 2 comments
Closed

encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.18 backport] #53716

gopherbot opened this issue Jul 6, 2022 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.18.4

Comments

@gopherbot
Copy link

@tatianab requested issue #53611 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022
@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.4 milestone Jul 6, 2022
@gopherbot
Copy link
Author

Change https://go.dev/cl/417055 mentions this issue: [release-branch.go1.18] encoding/xml: limit depth of nesting in unmarshal

@gopherbot
Copy link
Author

Closed by merging 2924ced to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@rolandshoemaker @mknyszek
[release-branch.go1.18] encoding/xml: limit depth of nesting in unmar…
2924ced 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes #53716
Updates #53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417055
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
@mknyszek mknyszek changed the title security: fix CVE-2022-30633 [1.18 backport] encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) [1.18 backport] Jul 12, 2022
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
@rolandshoemaker @bradfitz
[release-branch.go1.18] encoding/xml: limit depth of nesting in unmar…
f53d677 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53716
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417055
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.18.4
Development

No branches or pull requests
3 participants
@mknyszek @tatianab @gopherbot