Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) [1.18 backport] #53718

Closed
gopherbot opened this issue Jul 6, 2022 · 2 comments
Closed

compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) [1.18 backport] #53718

gopherbot opened this issue Jul 6, 2022 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.18.4

Comments

@gopherbot
Copy link

@tatianab requested issue #53168 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022
@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.4 milestone Jul 6, 2022
@gopherbot
Copy link
Author

Change https://go.dev/cl/417057 mentions this issue: [release-branch.go1.18] compress/gzip: fix stack exhaustion bug in Reader.Read

@gopherbot
Copy link
Author

Closed by merging 8e27a8a to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@mknyszek
[release-branch.go1.18] compress/gzip: fix stack exhaustion bug in Re…
8e27a8a 
…ader.Read

Replace recursion with iteration in Reader.Read to avoid stack
exhaustion when there are a large number of files.

Fixes CVE-2022-30631
Fixes #53718
Updates #53168

Change-Id: I47d8afe3f2d40b0213ab61431df9b221794dbfe0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1455673
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit cf498969c8a0bae9d7a24b98fc1f66c824a4775d)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417057
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
@mknyszek mknyszek changed the title security: fix CVE-2022-30631 [1.18 backport] compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) [1.18 backport] Jul 12, 2022
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
@bradfitz
[release-branch.go1.18] compress/gzip: fix stack exhaustion bug in Re…
e82b129 
…ader.Read

Replace recursion with iteration in Reader.Read to avoid stack
exhaustion when there are a large number of files.

Fixes CVE-2022-30631
Fixes golang#53718
Updates golang#53168

Change-Id: I47d8afe3f2d40b0213ab61431df9b221794dbfe0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1455673
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit cf498969c8a0bae9d7a24b98fc1f66c824a4775d)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417057
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.18.4
Development

No branches or pull requests
3 participants
@mknyszek @tatianab @gopherbot