Skip to content

go/parser: stack exhaustion in all Parse* functions #53616

New issue
New issue
Closed
Closed
go/parser: stack exhaustion in all Parse* functions#53616
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
 
Go1.19
@tatianab

Description

@tatianab
tatianab
opened on Jun 29, 2022 · edited by mknyszek

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962.

(This was a PRIVATE issue tracked in http://b/236145171 and fixed by http://tg/1491025.)

/cc https://github.com/orgs/golang/teams/security and https://github.com/orgs/golang/teams/release

Activity

tatianab
added
Security
NeedsFixThe path to resolution is known, but the work has not been done.
release-blocker
on Jun 29, 2022
tatianab
added this to the Go1.19 milestone on Jun 29, 2022
joedian
added this to Release Blockerson Jul 6, 2022
tatianab

tatianab commented on Jul 6, 2022

@tatianab
tatianab
on Jul 6, 2022
Author

@gopherbot please open backport issues for this security fix

gopherbot
mentioned this in 2 issues on Jul 6, 2022
gopherbot

gopherbot commented on Jul 6, 2022

@gopherbot
gopherbot
on Jul 6, 2022
Contributor

Backport issue(s) opened: #53707 (for 1.17), #53708 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot

gopherbot commented on Jul 12, 2022

@gopherbot
gopherbot
on Jul 12, 2022
Contributor

Change https://go.dev/cl/417056 mentions this issue: [release-branch.go1.18] go/parser: limit recursion depth

gopherbot

gopherbot commented on Jul 12, 2022

@gopherbot
gopherbot
on Jul 12, 2022
Contributor

Change https://go.dev/cl/417063 mentions this issue: go/parser: limit recursion depth

gopherbot

gopherbot commented on Jul 12, 2022

@gopherbot
gopherbot
on Jul 12, 2022
Contributor

Change https://go.dev/cl/417070 mentions this issue: [release-branch.go1.17] go/parser: limit recursion depth

gopherbot
added a commit that references this issue on Jul 12, 2022

[release-branch.go1.18] go/parser: limit recursion depth

0d1615b
gopherbot
closed this as completedin 695be96on Jul 12, 2022
gopherbot
moved this to Done in Release Blockerson Jul 12, 2022

11 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    Release Blockers

    Status

    Done

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @tatianab@gopherbot

        Issue actions
          go/parser: stack exhaustion in all Parse* functions · Issue #53616 · golang/go