Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/pem: stack overflow #51853

Closed
julieqiu opened this issue Mar 21, 2022 · 5 comments
Closed

encoding/pem: stack overflow #51853

julieqiu opened this issue Mar 21, 2022 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@julieqiu
Copy link
Member

julieqiu commented Mar 21, 2022

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

Thanks to Juho Nurminen of Mattermost who reported the error.

This is CVE-2022-24675.

(This was a PRIVATE issue tracked in http://b/216105673 and fixed by http://tg/1391157.)

/cc @golang/security and @golang/release

@julieqiu julieqiu added this to the Go1.18.1 milestone Mar 21, 2022
@FiloSottile FiloSottile changed the title security: fix security: fix CVE-2022-24675 Mar 30, 2022
@FiloSottile FiloSottile modified the milestones: Go1.18.1, Go1.19 Mar 30, 2022
@FiloSottile
Copy link
Contributor

@gopherbot please open backport issues for this security fix.

@gopherbot
Copy link

Backport issue(s) opened: #52036 (for 1.17), #52037 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@cherrymui cherrymui added the NeedsFix The path to resolution is known, but the work has not been done. label Apr 5, 2022
@gopherbot
Copy link

Change https://go.dev/cl/399816 mentions this issue: [release-branch.go1.17] encoding/pem: fix stack overflow in Decode

@gopherbot
Copy link

Change https://go.dev/cl/399817 mentions this issue: [release-branch.go1.18] encoding/pem: fix stack overflow in Decode

gopherbot pushed a commit that referenced this issue Apr 12, 2022
Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates #51853
Fixes #52036

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399816
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Apr 12, 2022
Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates #51853
Fixes #52037

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399817
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/399820 mentions this issue: encoding/pem: fix stack overflow in Decode

@dmitshur dmitshur changed the title security: fix CVE-2022-24675 encoding/pem: stack overflow Apr 12, 2022
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
Bump go to 1.18.1

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
Bump go to 1.17.9

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
Bump go to 1.17.9

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Update zlib download url's to use proper ones

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
Bump go to 1.17.9

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Update zlib download url's to use proper ones

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
Bump go to 1.18.1

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Also update zlib download url's

Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo added a commit to frezbo/tools that referenced this issue Apr 13, 2022
Bump go to 1.18.1

Fixes:

- [CVE-2022-24675](golang/go#51853)
- [CVE-2022-28327](golang/go#52075)
- [CVE-2022-27536](golang/go#51759)

Also update zlib download url's

Signed-off-by: Noel Georgi <git@frezbo.dev>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates golang#51853
Fixes golang#52036

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399816
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates golang#51853
Fixes golang#52036

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399816
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@b3af1d2
Upstream Source Commit: golang@2116d60

# Original Information

Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates golang#51853
Fixes golang#52036

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399816
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@b3af1d2
Upstream Source Commit: golang@2116d60

# Original Information

Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates golang#51853
Fixes golang#52036

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399816
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Tue, 04 Oct 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@228f3af
Upstream Source Commit: golang@2116d60

# Original Information

Previously, Decode called decodeError, a recursive function that was
prone to stack overflows when given a large PEM file containing errors.

Credit to Juho Nurminen of Mattermost who reported the error.

Fixes CVE-2022-24675
Updates golang#51853
Fixes golang#52036

Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399816
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Apr 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

4 participants