go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155) #69138
Labels
FixPending
Issues that have a fix which has not yet been reviewed or submitted.
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
|
@gopherbot please open backport issues for this security fix. |
This was referenced Aug 29, 2024
|
Backport issue(s) opened: #69142 (for 1.22), #69143 (for 1.23). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
This was referenced Aug 29, 2024
dmitshur
added
the
NeedsFix
|
Change https://go.dev/cl/611175 mentions this issue: |
|
Change https://go.dev/cl/611181 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 5, 2024
Prevents stack exhaustion with extremely deeply nested literal values, i.e. field values in structs. Updates #69138 Fixes #69143 Fixes CVE-2024-34155 Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520 Reviewed-by: Robert Griesemer <gri@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Russ Cox <rsc@google.com> (cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1560 Commit-Queue: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/611175 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
gopherbot
pushed a commit
that referenced
this issue
Sep 5, 2024
Prevents stack exhaustion with extremely deeply nested literal values, i.e. field values in structs. Updates #69138 Fixes #69142 Fixes CVE-2024-34155 Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520 Reviewed-by: Robert Griesemer <gri@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Russ Cox <rsc@google.com> (cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1561 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/611181 Reviewed-by: Michael Pratt <mpratt@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
dmitshur
changed the title
|
Change https://go.dev/cl/611238 mentions this issue: |
dmitshur
added
the
FixPending
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
This is a PRIVATE issue for CVE-2024-34155, tracked in http://b/362588373 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1520.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: