Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156) [1.22 backport] #69144

Closed
gopherbot opened this issue Aug 29, 2024 · 2 comments
Closed

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156) [1.22 backport] #69144

gopherbot opened this issue Aug 29, 2024 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.22.7

Comments

@gopherbot
Copy link
Contributor

@rolandshoemaker requested issue #69139 to be considered for backport to the next 1.22 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Aug 29, 2024
@gopherbot gopherbot mentioned this issue Aug 29, 2024
Closed
@gopherbot gopherbot added this to the Go1.22.7 milestone Aug 29, 2024
@rolandshoemaker rolandshoemaker added release-blocker CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Aug 29, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/611182 mentions this issue: [release-branch.go1.22] encoding/gob: cover missed cases when checking ignore depth

gopherbot pushed a commit that referenced this issue Sep 5, 2024
@rolandshoemaker @gopherbot
[release-branch.go1.22] encoding/gob: cover missed cases when checkin…
2092294 
…g ignore depth

This change makes sure that we are properly checking the ignored field
recursion depth in decIgnoreOpFor consistently. This prevents stack
exhaustion when attempting to decode a message that contains an
extremely deeply nested struct which is ignored.

Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)
for reporting this issue.

Updates #69139
Fixes #69144
Fixes CVE-2024-34156

Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit f0a11f9b3aaa362cb1d05e095e3c8d421d4f087f)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1580
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611182
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 611182 (commit 2092294) to release-branch.go1.22.

@dmitshur dmitshur changed the title security: fix CVE-2024-34156 [1.22 backport] encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156) [1.22 backport] Sep 5, 2024
@muffl0n muffl0n mentioned this issue Sep 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.22.7
Development

No branches or pull requests
2 participants
@rolandshoemaker @gopherbot