encoding/xml: stack exhaustion in Decoder.Skip

[tatianab]

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost.

This is CVE-2022-28131.

(This was a PRIVATE issue tracked in http://b/227192220 and fixed by http://tg/1419912.)

/cc @golang/security and @golang/release

[tatianab]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #53711 (for 1.17), #53712 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/417054 mentions this issue: [release-branch.go1.18] encoding/xml: use iterative Skip, rather than recursive

[gopherbot]

Change https://go.dev/cl/417062 mentions this issue: encoding/xml: use iterative Skip, rather than recursive

[gopherbot]

Change https://go.dev/cl/417068 mentions this issue: [release-branch.go1.17] encoding/xml: use iterative Skip, rather than recursive