Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

io/fs: stack exhaustion in Glob (CVE-2022-30630) [1.17 backport] #53719

Closed
gopherbot opened this issue Jul 6, 2022 · 2 comments
Closed

io/fs: stack exhaustion in Glob (CVE-2022-30630) [1.17 backport] #53719

gopherbot opened this issue Jul 6, 2022 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.17.12

Comments

@gopherbot
Copy link

@tatianab requested issue #53415 to be considered for backport to the next 1.17 minor release.

@gopherbot please open backport issues for this security fix
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022
@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot gopherbot added this to the Go1.17.12 milestone Jul 6, 2022
@gopherbot
Copy link
Author

Change https://go.dev/cl/417072 mentions this issue: [release-branch.go1.17] io/fs: fix stack exhaustion in Glob

@gopherbot
Copy link
Author

Closed by merging 8c1d8c8 to release-branch.go1.17.

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@julieqiu @mknyszek
[release-branch.go1.17] io/fs: fix stack exhaustion in Glob
8c1d8c8 
A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported a similar issue in
path/filepath.

Fixes #53719
Updates #53415
Fixes CVE-2022-30630

Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417072
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
@mknyszek mknyszek changed the title security: fix CVE-2022-30630 [1.17 backport] io/fs: stack exhaustion in Glob (CVE-2022-30630) [1.17 backport] Jul 12, 2022
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022
@knz knz mentioned this issue Jul 18, 2022
Closed
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@julieqiu @danbudris
[release-branch.go1.17] io/fs: fix stack exhaustion in Glob
9aaea0a 
A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported a similar issue in
path/filepath.

Fixes golang#53719
Updates golang#53415
Fixes CVE-2022-30630

Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417072
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@julieqiu @danbudris
[release-branch.go1.17] io/fs: fix stack exhaustion in Glob
ad3db90 
A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported a similar issue in
path/filepath.

Fixes golang#53719
Updates golang#53415
Fixes CVE-2022-30630

Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417072
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 12, 2022
@julieqiu @danbudris
[release-branch.go1.17] io/fs: fix stack exhaustion in Glob
ccea19b 
A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported a similar issue in
path/filepath.

Fixes golang#53719
Updates golang#53415
Fixes CVE-2022-30630

Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417072
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@julieqiu @rcrozean
io/fs: fix stack exhaustion in Glob
952aa81 
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Tue, 04 Oct 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@9aaea0a
Upstream Source Commit: golang@8c1d8c8

# Original Information

A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported a similar issue in
path/filepath.

Fixes golang#53719
Updates golang#53415
Fixes CVE-2022-30630

Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417072
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.17.12
Development

No branches or pull requests
3 participants
@mknyszek @tatianab @gopherbot