encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156)

[rolandshoemaker]

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is a follow-up to CVE-2022-30635.

Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

---

This is a PRIVATE issue for CVE-2024-34156, tracked in http://b/362587965 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1440.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #69144 (for 1.22), #69145 (for 1.23).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gabyhelp]

Related Issues and Documentation

• security: fix CVE-2024-34158 #69141
• security: fix CVE-2024-34155 #69138
• security: fix CVE-2024-34157 #69140
• security: fix CVE-2023-39324 #63212 (closed)
• security: fix CVE-2023-45288 #66297 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/611176 mentions this issue: [release-branch.go1.23] encoding/gob: cover missed cases when checking ignore depth

[gopherbot]

Change https://go.dev/cl/611182 mentions this issue: [release-branch.go1.22] encoding/gob: cover missed cases when checking ignore depth