go/build/constraint: stack exhaustion in Parse (CVE-2024-34158)

[rolandshoemaker]

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

---

This is a PRIVATE issue for CVE-2024-34158, tracked in http://b/362587324 and fixed by
https://go-internal-review.git.corp.google.com/c/go/+/1540.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #69148 (for 1.22), #69149 (for 1.23).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gabyhelp]

Related Issues and Documentation

• security: fix CVE-2024-34156 #69139
• security: fix CVE-2024-34157 #69140
• security: fix CVE-2024-34155 #69138
• security: fix CVE-2023-39324 #63212 (closed)
• security: fix CVE-2023-45288 #66297 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/611177 mentions this issue: [release-branch.go1.23] go/build/constraint: add parsing limits

[gopherbot]

Change https://go.dev/cl/611183 mentions this issue: [release-branch.go1.22] go/build/constraint: add parsing limits