security: fix CVE-2022-41725 [1.19 backport] #58362

gopherbot · 2023-02-06T20:11:15Z

@rolandshoemaker requested issue #58006 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues.

gopherbot · 2023-02-14T16:39:44Z

Change https://go.dev/cl/468116 mentions this issue: [release-branch.go1.19] mime/multipart: limit memory/inode consumption of ReadForm

@das7pad

…n of ReadForm Reader.ReadForm is documented as storing "up to maxMemory bytes + 10MB" in memory. Parsed forms can consume substantially more memory than this limit, since ReadForm does not account for map entry overhead and MIME headers. In addition, while the amount of disk memory consumed by ReadForm can be constrained by limiting the size of the parsed input, ReadForm will create one temporary file per form part stored on disk, potentially consuming a large number of inodes. Update ReadForm's memory accounting to include part names, MIME headers, and map entry overhead. Update ReadForm to store all on-disk file parts in a single temporary file. Files returned by FileHeader.Open are documented as having a concrete type of *os.File when a file is stored on disk. The change to use a single temporary file for all parts means that this is no longer the case when a form contains more than a single file part stored on disk. The previous behavior of storing each file part in a separate disk file may be reenabled with GODEBUG=multipartfiles=distinct. Update Reader.NextPart and Reader.NextRawPart to set a 10MiB cap on the size of MIME headers. Thanks to Jakob Ackermann (@das7pad) for reporting this issue. Updates #58006 Fixes #58362 Fixes CVE-2022-41725 Change-Id: Ibd780a6c4c83ac8bcfd3cbe344f042e9940f2eab Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1714276 Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> (cherry picked from commit ed4664330edcd91b24914c9371c377c132dbce8c) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728949 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468116 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com>

gopherbot · 2023-02-14T17:27:27Z

Closed by merging 5c55ac9 to release-branch.go1.19.

gopherbot added the CherryPickCandidate Used during the release process for point releases label Feb 6, 2023

gopherbot mentioned this issue Feb 6, 2023

net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) #58006

Closed

gopherbot added this to the Go1.19.6 milestone Feb 6, 2023

heschi added the CherryPickApproved Used during the release process for point releases label Feb 8, 2023

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Feb 8, 2023

dmitshur added the Security label Feb 13, 2023

gopherbot closed this as completed Feb 14, 2023

security: fix CVE-2022-41725 [1.19 backport] #58362

security: fix CVE-2022-41725 [1.19 backport] #58362

gopherbot commented Feb 6, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

security: fix CVE-2022-41725 [1.19 backport] #58362

security: fix CVE-2022-41725 [1.19 backport] #58362

Comments

gopherbot commented Feb 6, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023