encoding/pem: stack overflow

[julieqiu]

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

Thanks to Juho Nurminen of Mattermost who reported the error.

This is CVE-2022-24675.

(This was a PRIVATE issue tracked in http://b/216105673 and fixed by http://tg/1391157.)

/cc @golang/security and @golang/release

[FiloSottile]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #52036 (for 1.17), #52037 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/399816 mentions this issue: [release-branch.go1.17] encoding/pem: fix stack overflow in Decode

[gopherbot]

Change https://go.dev/cl/399817 mentions this issue: [release-branch.go1.18] encoding/pem: fix stack overflow in Decode