-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/xml: stack exhaustion in Unmarshal #53611
Comments
@gopherbot please open backport issues for this security fix |
Backport issue(s) opened: #53715 (for 1.17), #53716 (for 1.18). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/417055 mentions this issue: |
Change https://go.dev/cl/417061 mentions this issue: |
Change https://go.dev/cl/417069 mentions this issue: |
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes #53716 Updates #53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417055 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes #53715 Updates #53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53716 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417055 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/417061 Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…shal Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@be69d5c Upstream Source Commit: golang@2678d0c # Original Information Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@be69d5c Upstream Source Commit: golang@2678d0c # Original Information Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@4884ee8 Upstream Source Commit: golang@2678d0c # Original Information Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes golang#53715 Updates golang#53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the
any
field tag can cause a panic due to stack exhaustion.This is CVE-2022-30633.
(This was a PRIVATE issue tracked in http://b/227341754 and fixed by http://tg/1421319.)
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: