go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

gopherbot · 2023-03-27T15:06:17Z

@julieqiu requested issue #59180 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.

gopherbot · 2023-04-04T16:31:01Z

Change https://go.dev/cl/481992 mentions this issue: [release-branch.go1.20] go/scanner: reject large line and column numbers in //line directives

…ers in //line directives Setting a large line or column number using a //line directive can cause integer overflow even in small source files. Limit line and column numbers in //line directives to 2^30-1, which is small enough to avoid int32 overflow on all reasonbly-sized files. Fixes CVE-2023-24537 For #59180 Fixes #59274 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456 Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Damien Neil <[email protected]> Change-Id: Ib9c5cb38428ed34ab129d451b00a2998e72c861c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802401 TryBot-Result: Security TryBots <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/481992 Reviewed-by: Matthew Dempsky <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Bypass: Michael Knyszek <[email protected]>

gopherbot · 2023-04-04T17:02:06Z

Closed by merging e7c4b07 to release-branch.go1.20.

gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 27, 2023

gopherbot mentioned this issue Mar 27, 2023

go/parser: infinite loop in parsing (CVE-2023-24537) #59180

Closed

gopherbot added this to the Go1.20.3 milestone Mar 27, 2023

dmitshur added the Security label Mar 29, 2023

gopherbot closed this as completed Apr 4, 2023

mknyszek changed the title ~~security: fix CVE-2023-24537 [1.20 backport]~~ go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] Apr 4, 2023

mknyszek added the CherryPickApproved Used during the release process for point releases label Apr 4, 2023

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Apr 4, 2023

golang locked and limited conversation to collaborators Apr 3, 2024

gopherbot added the FrozenDueToAge label Apr 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

gopherbot commented Mar 27, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

go/parser: infinite loop in parsing (CVE-2023-24537) [1.20 backport] #59274

Comments

gopherbot commented Mar 27, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023