Skip to content

go/build/constraint: stack exhaustion in Parse (CVE-2024-34158) [1.22 backport] #69148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Aug 29, 2024 · 2 comments
Closed

go/build/constraint: stack exhaustion in Parse (CVE-2024-34158) [1.22 backport] #69148

gopherbot opened this issue Aug 29, 2024 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.22.7

Comments

@gopherbot
Copy link
Contributor

@rolandshoemaker requested issue #69141 to be considered for backport to the next 1.22 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Aug 29, 2024
@gopherbot gopherbot mentioned this issue Aug 29, 2024
Closed
@gopherbot gopherbot added this to the Go1.22.7 milestone Aug 29, 2024
@rolandshoemaker rolandshoemaker added release-blocker CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Aug 29, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/611183 mentions this issue: [release-branch.go1.22] go/build/constraint: add parsing limits

gopherbot pushed a commit that referenced this issue Sep 5, 2024
@rolandshoemaker @gopherbot
[release-branch.go1.22] go/build/constraint: add parsing limits
d4c5381 
Limit the size of build constraints that we will parse. This prevents a
number of stack exhaustions that can be hit when parsing overly complex
constraints. The imposed limits are unlikely to ever be hit in real
world usage.

Updates #69141
Fixes #69148
Fixes CVE-2024-34158

Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611183
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 611183 (commit d4c5381) to release-branch.go1.22.

@dmitshur dmitshur changed the title security: fix CVE-2024-34158 [1.22 backport] go/build/constraint: stack exhaustion in Parse (CVE-2024-34158) [1.22 backport] Sep 5, 2024
@muffl0n muffl0n mentioned this issue Sep 13, 2024
Closed
@acouch acouch mentioned this issue Oct 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.22.7
Development

No branches or pull requests
2 participants
@rolandshoemaker @gopherbot