net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) [1.20 backport] #59270

gopherbot · 2023-03-27T15:05:42Z

@julieqiu requested issue #59153 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.

gopherbot · 2023-04-04T16:31:03Z

Change https://go.dev/cl/481989 mentions this issue: [release-branch.go1.20] mime/multipart: avoid excessive copy buffer allocations in ReadForm

gopherbot · 2023-04-04T16:31:06Z

Change https://go.dev/cl/481990 mentions this issue: [release-branch.go1.20] net/textproto, mime/multipart: improve accounting of non-file data

gopherbot · 2023-04-04T16:31:08Z

Change https://go.dev/cl/481991 mentions this issue: [release-branch.go1.20] mime/multipart: limit parsed mime message sizes

gopherbot · 2023-04-04T16:58:53Z

Closed by merging ea6b5a6 to release-branch.go1.20.

@das7pad

…llocations in ReadForm When copying form data to disk with io.Copy, allocate only one copy buffer and reuse it rather than creating two buffers per file (one from io.multiReader.WriteTo, and a second one from os.File.ReadFrom). Thanks to Jakob Ackermann (@das7pad) for reporting this issue. For CVE-2023-24536 For #59153 For #59270 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802453 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Change-Id: I44ef17c4b4964cdac2858317275594194801fee3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802398 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/481989 Auto-Submit: Michael Knyszek <mknyszek@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Matthew Dempsky <mdempsky@google.com>

@das7pad

…ting of non-file data For requests containing large numbers of small parts, memory consumption of a parsed form could be about 250% over the estimated size. When considering the size of parsed forms, account for the size of FileHeader structs and increase the estimate of memory consumed by map entries. Thanks to Jakob Ackermann (@das7pad) for reporting this issue. For CVE-2023-24536 For #59153 For #59270 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802454 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Change-Id: I9753aa1f8a1b1479c160f870def3b7081b6847ac Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802399 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/481990 TryBot-Bypass: Michael Knyszek <mknyszek@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com>

@das7pad

The parsed forms of MIME headers and multipart forms can consume substantially more memory than the size of the input data. A malicious input containing a very large number of headers or form parts can cause excessively large memory allocations. Set limits on the size of MIME data: Reader.NextPart and Reader.NextRawPart limit the the number of headers in a part to 10000. Reader.ReadForm limits the total number of headers in all FileHeaders to 10000. Both of these limits may be set with with GODEBUG=multipartmaxheaders=<values>. Reader.ReadForm limits the number of parts in a form to 1000. This limit may be set with GODEBUG=multipartmaxparts=<value>. Thanks for Jakob Ackermann (@das7pad) for reporting this issue. For CVE-2023-24536 For #59153 For #59270 Change-Id: I36ddceead7f8292c327286fd8694e6113d3b4977 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802455 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802608 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/481991 Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> TryBot-Bypass: Michael Knyszek <mknyszek@google.com>

gopherbot · 2023-04-05T15:39:35Z

Change https://go.dev/cl/482555 mentions this issue: [release-branch.go1.20] html/template,mime/multipart: document new GODEBUG settings

…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. For #59270. Updates #59234. For #59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>

…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates golang#59153. For golang#59270. Updates golang#59234. For golang#59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 27, 2023

gopherbot mentioned this issue Mar 27, 2023

net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) #59153

Closed

gopherbot added this to the Go1.20.3 milestone Mar 27, 2023

dmitshur added the Security label Mar 29, 2023

gopherbot closed this as completed Apr 4, 2023

mknyszek changed the title ~~security: fix CVE-2023-24536 [1.20 backport]~~ net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) [1.20 backport] Apr 4, 2023

mknyszek added the CherryPickApproved Used during the release process for point releases label Apr 4, 2023

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Apr 4, 2023

golang locked and limited conversation to collaborators Apr 4, 2024

gopherbot added the FrozenDueToAge label Apr 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) [1.20 backport] #59270

net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) [1.20 backport] #59270

gopherbot commented Mar 27, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 5, 2023

net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) [1.20 backport] #59270

net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) [1.20 backport] #59270

Comments

gopherbot commented Mar 27, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 5, 2023