Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

Closed
gopherbot opened this issue Mar 27, 2023 · 2 comments
Closed

go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

gopherbot opened this issue Mar 27, 2023 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.20.3

Comments

@gopherbot
Copy link

@julieqiu requested issue #59180 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 27, 2023
@gopherbot gopherbot mentioned this issue Mar 27, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.3 milestone Mar 27, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/481992 mentions this issue: [release-branch.go1.20] go/scanner: reject large line and column numbers in //line directives

gopherbot pushed a commit that referenced this issue Apr 4, 2023
@neild @gopherbot
[release-branch.go1.20] go/scanner: reject large line and column numb…
e7c4b07 
…ers in //line directives

Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.

Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.

Fixes CVE-2023-24537
For #59180
Fixes #59274

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Change-Id: Ib9c5cb38428ed34ab129d451b00a2998e72c861c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802401
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/481992
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
@gopherbot
Copy link
Author

Closed by merging e7c4b07 to release-branch.go1.20.

@mknyszek mknyszek changed the title security: fix CVE-2023-24537 [1.20 backport] go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] Apr 4, 2023
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Apr 4, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Apr 4, 2023
@golang golang locked and limited conversation to collaborators Apr 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.20.3
Development

No branches or pull requests
3 participants
@mknyszek @dmitshur @gopherbot