math/big: Rat.SetString may consume large amount of RAM and crash #50699
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
katiehockman
added
Security
NeedsFix
|
@gopherbot please backport to 1.17 and 1.16 as this is a security issue. |
This was referenced Jan 19, 2022
|
Backport issue(s) opened: #50700 (for 1.16), #50701 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
|
Change https://golang.org/cl/379537 mentions this issue: |
|
Ping as a release blocker. Is the CL fixing this issue ready to be submitted? |
|
@dmitshur thank you for the ping! I've given the CL a +2, I shall wait for @katiehockman and the security team too. |
|
Change https://golang.org/cl/381336 mentions this issue: |
|
Change https://golang.org/cl/381337 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jan 28, 2022
Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Updates #50699 Fixes #50701 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> (cherry picked from commit ad345c2) Reviewed-on: https://go-review.googlesource.com/c/go/+/381336 Reviewed-by: Filippo Valsorda <filippo@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Jan 28, 2022
Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Updates #50699 Fixes #50700 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> (cherry picked from commit ad345c2) Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Updates golang#50699 Fixes golang#50700 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> (cherry picked from commit ad345c2) Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.16 Upstream Source Commit: golang@07ee9e6 EKS Patch Source Commit: danbudris@f56e2b4 # Original Information Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Updates golang#50699 Fixes golang#50700 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> (cherry picked from commit ad345c2) Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.16 Upstream Source Commit: golang@07ee9e6 EKS Patch Source Commit: danbudris@f56e2b4 # Original Information Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Updates golang#50699 Fixes golang#50700 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org> (cherry picked from commit ad345c2) Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Unmarshaling a string into a
*Ratmay cause resource exhaustion, consuming a huge amount of RAM, which may cause a system to crash or timeout. This is reachable from(*Rat).SetString,(*Rat).UnmarshalText,(*Rat).Scan, and any other function that unmarshals a string into a(*Rat)such asconstant.MakeFromLiteral.Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.
This is CVE-2022-23772.
The text was updated successfully, but these errors were encountered: