Skip to content

go/parser: stack exhaustion in all Parse* functions #53616

New issue
New issue
Closed
Closed
go/parser: stack exhaustion in all Parse* functions#53616
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
 
Go1.19
@tatianab

Description

@tatianab
tatianab
opened on Jun 29, 2022

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962.

(This was a PRIVATE issue tracked in http://b/236145171 and fixed by http://tg/1491025.)

/cc https://github.com/orgs/golang/teams/security and https://github.com/orgs/golang/teams/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    Release Blockers

    Status

    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions