-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
io/fs: stack exhaustion in Glob (CVE-2022-30630) [1.17 backport] #53719
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Jul 6, 2022
Change https://go.dev/cl/417072 mentions this issue: |
Closed by merging 8c1d8c8 to release-branch.go1.17. |
gopherbot
pushed a commit
that referenced
this issue
Jul 12, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported a similar issue in path/filepath. Fixes #53719 Updates #53415 Fixes CVE-2022-30630 Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588 Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97) Reviewed-on: https://go-review.googlesource.com/c/go/+/417072 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
mknyszek
changed the title
security: fix CVE-2022-30630 [1.17 backport]
io/fs: stack exhaustion in Glob (CVE-2022-30630) [1.17 backport]
Jul 12, 2022
mknyszek
added
the
CherryPickApproved
Used during the release process for point releases
label
Jul 12, 2022
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
Jul 12, 2022
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported a similar issue in path/filepath. Fixes golang#53719 Updates golang#53415 Fixes CVE-2022-30630 Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588 Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97) Reviewed-on: https://go-review.googlesource.com/c/go/+/417072 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported a similar issue in path/filepath. Fixes golang#53719 Updates golang#53415 Fixes CVE-2022-30630 Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588 Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97) Reviewed-on: https://go-review.googlesource.com/c/go/+/417072 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 12, 2022
A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported a similar issue in path/filepath. Fixes golang#53719 Updates golang#53415 Fixes CVE-2022-30630 Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588 Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97) Reviewed-on: https://go-review.googlesource.com/c/go/+/417072 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: [email protected] Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@9aaea0a Upstream Source Commit: golang@8c1d8c8 # Original Information A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported a similar issue in path/filepath. Fixes golang#53719 Updates golang#53415 Fixes CVE-2022-30630 Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588 Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97) Reviewed-on: https://go-review.googlesource.com/c/go/+/417072 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
@tatianab requested issue #53415 to be considered for backport to the next 1.17 minor release.
The text was updated successfully, but these errors were encountered: