security: fix CVE-2022-2879 [1.18 backport] #55925
Labels
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
dmitshur
added
Security
CherryPickApproved
|
Change https://go.dev/cl/438500 mentions this issue: |
|
Closed by merging 0a72381 to release-branch.go1.18. |
gopherbot
pushed a commit
that referenced
this issue
Oct 4, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates #54853 Fixes #55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Wed, 5 Oct 2022 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.15 Source Commit: golang@0a72381 EKS Patch Source Commit: aws/eks-distro-build-tooling@1de4158 For building an internal version of go1.15, we removed the binary information from this patch caused by ./src/archive/tar/pax-bad-hdr-large.tar.bz2 it was added to the repo: https://github.com/aws/eks-distro-build-tooling/projects/golang/go/1.15/rpmbuild/SOURCE/pax-bad-hdr-large.tar.bz2 # Originial Information Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Wed, 5 Oct 2022 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.18 Source Commit: golang@0a72381 EKS Patch Source Commit: aws/eks-distro-build-tooling@f4ce232 For building an internal version of go1.16, we removed the binary information from this patch, describing ./src/archive/tar/pax-bad-hdr-large.tar.bz2 The file itself was added directly to the repository. This was done due to fact that `diff`, used by RPMs for patch application, does not support binary diffs. https://github.com/aws/eks-distro-build-tooling/projects/golang/go/1.16/rpmbuild/SOURCE/pax-bad-hdr-large.tar.bz2 # Original Information Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 14, 2022
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@rolandshoemaker requested issue #54853 to be considered for backport to the next 1.18 minor release.
The text was updated successfully, but these errors were encountered: