-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/xml: stack exhaustion in Decoder.Skip #53614
Comments
@gopherbot please open backport issues for this security fix |
Backport issue(s) opened: #53711 (for 1.17), #53712 (for 1.18). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/417054 mentions this issue: |
Change https://go.dev/cl/417062 mentions this issue: |
Change https://go.dev/cl/417068 mentions this issue: |
… recursive Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes #53712 Updates #53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417054 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
… recursive Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes #53711 Updates #53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
… recursive Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53712 Updates golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417054 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/417062 Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
… recursive Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53711 Updates golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
… recursive Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53711 Updates golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@691b495 Upstream Source Commit: golang@58facfb # Original Information Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53711 Updates golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@691b495 Upstream Source Commit: golang@58facfb # Original Information Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53711 Updates golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@fe4f75a Upstream Source Commit: golang@58facfb # Original Information Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes golang#53711 Updates golang#53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>
Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.
The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost.
This is CVE-2022-28131.
(This was a PRIVATE issue tracked in http://b/227192220 and fixed by http://tg/1419912.)
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: