Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/xml: stack exhaustion in Unmarshal #53611

Closed
tatianab opened this issue Jun 29, 2022 · 5 comments
Closed

encoding/xml: stack exhaustion in Unmarshal #53611

tatianab opened this issue Jun 29, 2022 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@tatianab
Copy link

tatianab commented Jun 29, 2022

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633.

(This was a PRIVATE issue tracked in http://b/227341754 and fixed by http://tg/1421319.)

/cc @golang/security and @golang/release

@tatianab tatianab modified the milestones: Go1.17.12, Go1.19 Jun 29, 2022
@tatianab tatianab added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 29, 2022
@tatianab
Copy link
Author

tatianab commented Jul 6, 2022

@gopherbot please open backport issues for this security fix

@gopherbot
Copy link

gopherbot commented Jul 6, 2022

Backport issue(s) opened: #53715 (for 1.17), #53716 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link

gopherbot commented Jul 12, 2022

Change https://go.dev/cl/417055 mentions this issue: [release-branch.go1.18] encoding/xml: limit depth of nesting in unmarshal

@gopherbot
Copy link

gopherbot commented Jul 12, 2022

Change https://go.dev/cl/417061 mentions this issue: encoding/xml: limit depth of nesting in unmarshal

@gopherbot
Copy link

gopherbot commented Jul 12, 2022

Change https://go.dev/cl/417069 mentions this issue: [release-branch.go1.17] encoding/xml: limit depth of nesting in unmarshal

gopherbot pushed a commit that referenced this issue Jul 12, 2022
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes #53716
Updates #53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417055
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
gopherbot pushed a commit that referenced this issue Jul 12, 2022
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes #53715
Updates #53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@mknyszek mknyszek changed the title security: fix CVE-2022-30633 encoding/xml: stack exhaustion in Unmarshal and Decoder.Skip Jul 12, 2022
@mknyszek mknyszek changed the title encoding/xml: stack exhaustion in Unmarshal and Decoder.Skip encoding/xml: stack exhaustion in Unmarshal Jul 12, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53716
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417055
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
jproberts pushed a commit to jproberts/go that referenced this issue Aug 10, 2022
Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/417061
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
Development

No branches or pull requests

2 participants