40c91388a1
CVE-2022-30635,CVE-2022-30630,CVE-2022-30632,CVE-2022-28131, CVE-2022-30631,CVE-2022-30629,CVE-2022-30634 Conflict: NA Score: CVE-2022-32148: 5.3 CVE-2022-1962: 6.2 CVE-2022-1705: 5.3 CVE-2022-30633: 6.2 CVE-2022-30635: 5.5 CVE-2022-30630: 6.2 CVE-2022-30632: 6.2 CVE-2022-28131: 6.2 CVE-2022-30631: 7.5 CVE-2022-30629: 2.6 CVE-2022-30634: 7.5 Reference: CVE-2022-32148: https://go-review.googlesource.com/c/go/+/415221 CVE-2022-1962: https://go-review.googlesource.com/c/go/+/417070 CVE-2022-1705: https://go-review.googlesource.com/c/go/+/415217 CVE-2022-30633: https://go-review.googlesource.com/c/go/+/417069 CVE-2022-30635: https://go-review.googlesource.com/c/go/+/417074 CVE-2022-30630: https://go-review.googlesource.com/c/go/+/417072 CVE-2022-30632: https://go-review.googlesource.com/c/go/+/417073 CVE-2022-28131: https://go-review.googlesource.com/c/go/+/417068 CVE-2022-30631: https://go-review.googlesource.com/c/go/+/417071 CVE-2022-30629: https://go-review.googlesource.com/c/go/+/408574 CVE-2022-30634: https://go-review.googlesource.com/c/go/+/406635 Reason: fix CVE: CVE-2022-32148: 0005-release-branch.go1.17-net-http-preserve-nil-values-i.patch CVE-2022-1962: 0006-release-branch.go1.17-go-parser-limit-recursion-dept.patch CVE-2022-1705: 0007-release-branch.go1.17-net-http-don-t-strip-whitespac.patch CVE-2022-30633: 0008-release-branch.go1.17-encoding-xml-limit-depth-of-ne.patch CVE-2022-30635: 0009-release-branch.go1.17-encoding-gob-add-a-depth-limit.patch CVE-2022-30630: 0010-release-branch.go1.17-io-fs-fix-stack-exhaustion-in-.patch CVE-2022-30632: 0011-release-branch.go1.17-path-filepath-fix-stack-exhaus.patch CVE-2022-28131: 0012-release-branch.go1.17-encoding-xml-use-iterative-Ski.patch CVE-2022-30631: 0013-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch CVE-2022-30629: 0014-release-branch.go1.17-crypto-tls-randomly-generate-t.patch CVE-2022-30634: 0015-release-branch.go1.17-crypto-rand-properly-handle-la.patch
86 lines
2.8 KiB
Diff
86 lines
2.8 KiB
Diff
From 7b98bf3a8711126c532033ca89647f3b743b58ec Mon Sep 17 00:00:00 2001
|
|
From: Julie Qiu <julieqiu@google.com>
|
|
Date: Thu, 23 Jun 2022 23:18:56 +0000
|
|
Subject: [PATCH 07/11] [release-branch.go1.17] path/filepath: fix stack
|
|
exhaustion in Glob
|
|
|
|
A limit is added to the number of path separators allowed by an input to
|
|
Glob, to prevent stack exhaustion issues.
|
|
|
|
Thanks to Juho Nurminen of Mattermost who reported the issue.
|
|
|
|
Fixes #53713
|
|
Updates #53416
|
|
Fixes CVE-2022-30632
|
|
|
|
Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176
|
|
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
|
(cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39)
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/417073
|
|
Reviewed-by: Heschi Kreinick <heschi@google.com>
|
|
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Run-TryBot: Michael Knyszek <mknyszek@google.com>
|
|
|
|
Conflict: NA
|
|
Reference: https://go-review.googlesource.com/c/go/+/417073
|
|
---
|
|
src/path/filepath/match.go | 12 +++++++++++-
|
|
src/path/filepath/match_test.go | 10 ++++++++++
|
|
2 files changed, 21 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
|
|
index c77a26952a6..55ed1d75ae1 100644
|
|
--- a/src/path/filepath/match.go
|
|
+++ b/src/path/filepath/match.go
|
|
@@ -241,6 +241,16 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
|
|
// The only possible returned error is ErrBadPattern, when pattern
|
|
// is malformed.
|
|
func Glob(pattern string) (matches []string, err error) {
|
|
+ return globWithLimit(pattern, 0)
|
|
+}
|
|
+
|
|
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
|
|
+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
|
|
+ const pathSeparatorsLimit = 10000
|
|
+ if depth == pathSeparatorsLimit {
|
|
+ return nil, ErrBadPattern
|
|
+ }
|
|
+
|
|
// Check pattern is well-formed.
|
|
if _, err := Match(pattern, ""); err != nil {
|
|
return nil, err
|
|
@@ -270,7 +280,7 @@ func Glob(pattern string) (matches []string, err error) {
|
|
}
|
|
|
|
var m []string
|
|
- m, err = Glob(dir)
|
|
+ m, err = globWithLimit(dir, depth+1)
|
|
if err != nil {
|
|
return
|
|
}
|
|
diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
|
|
index 375c41a7e9d..d6282596fed 100644
|
|
--- a/src/path/filepath/match_test.go
|
|
+++ b/src/path/filepath/match_test.go
|
|
@@ -155,6 +155,16 @@ func TestGlob(t *testing.T) {
|
|
}
|
|
}
|
|
|
|
+func TestCVE202230632(t *testing.T) {
|
|
+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
|
|
+ // large number of separators (more than 4,000,000). There is now a limit
|
|
+ // of 10,000.
|
|
+ _, err := Glob("/*" + strings.Repeat("/", 10001))
|
|
+ if err != ErrBadPattern {
|
|
+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
|
|
+ }
|
|
+}
|
|
+
|
|
func TestGlobError(t *testing.T) {
|
|
bad := []string{`[]`, `nonexist/[]`}
|
|
for _, pattern := range bad {
|
|
--
|
|
2.30.2
|
|
|