Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155) [1.23 backport] #69143

Closed
gopherbot opened this issue Aug 29, 2024 · 2 comments
Closed

go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155) [1.23 backport] #69143

gopherbot opened this issue Aug 29, 2024 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.23.1

Comments

@gopherbot
Copy link
Contributor

@rolandshoemaker requested issue #69138 to be considered for backport to the next 1.23 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Aug 29, 2024
@gopherbot gopherbot mentioned this issue Aug 29, 2024
Closed
@gopherbot gopherbot added this to the Go1.23.1 milestone Aug 29, 2024
@rolandshoemaker rolandshoemaker added release-blocker CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Aug 29, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/611175 mentions this issue: [release-branch.go1.23] go/parser: track depth in nested element lists

@gopherbot
Copy link
Contributor Author

Closed by merging CL 611175 (commit 53487e5) to release-branch.go1.23.

gopherbot pushed a commit that referenced this issue Sep 5, 2024
@rolandshoemaker @gopherbot
[release-branch.go1.23] go/parser: track depth in nested element lists
53487e5 
Prevents stack exhaustion with extremely deeply nested literal values,
i.e. field values in structs.

Updates #69138
Fixes #69143
Fixes CVE-2024-34155

Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520
Reviewed-by: Robert Griesemer <gri@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1560
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611175
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
@dmitshur dmitshur changed the title security: fix CVE-2024-34155 [1.23 backport] go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155) [1.23 backport] Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.23.1
Development

No branches or pull requests
2 participants
@rolandshoemaker @gopherbot