!410 Fix CVE-2024-34155
From: @roygiteee Reviewed-by: @hcnbxx Signed-off-by: @hcnbxx
This commit is contained in:
openeuler-ci-bot
Gitee
commit
335a89266d
@ -0,0 +1,60 @@
|
||||
commit b232596139dbe96a62edbe3a2a203e856bf556eb
|
||||
Author: Roland Shoemaker <bracewell@google.com>
|
||||
Date: Mon Jun 10 15:34:12 2024 -0700
|
||||
|
||||
[release-branch.go1.22] go/parser: track depth in nested element lists
|
||||
|
||||
Prevents stack exhaustion with extremely deeply nested literal values,
|
||||
i.e. field values in structs.
|
||||
|
||||
Updates #69138
|
||||
Fixes #69142
|
||||
Fixes CVE-2024-34155
|
||||
|
||||
Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520
|
||||
Reviewed-by: Robert Griesemer <gri@google.com>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Russ Cox <rsc@google.com>
|
||||
(cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e)
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1561
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/611181
|
||||
Reviewed-by: Michael Pratt <mpratt@google.com>
|
||||
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
|
||||
diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
|
||||
index 17808b366f..f268dea1a6 100644
|
||||
--- a/src/go/parser/parser.go
|
||||
+++ b/src/go/parser/parser.go
|
||||
@@ -1676,6 +1676,8 @@ func (p *parser) parseElementList() (list []ast.Expr) {
|
||||
}
|
||||
|
||||
func (p *parser) parseLiteralValue(typ ast.Expr) ast.Expr {
|
||||
+ defer decNestLev(incNestLev(p))
|
||||
+
|
||||
if p.trace {
|
||||
defer un(trace(p, "LiteralValue"))
|
||||
}
|
||||
diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
|
||||
index 43b3416b27..c6dca66760 100644
|
||||
--- a/src/go/parser/parser_test.go
|
||||
+++ b/src/go/parser/parser_test.go
|
||||
@@ -598,10 +598,11 @@ var parseDepthTests = []struct {
|
||||
{name: "chan2", format: "package main; var x «<-chan »int"},
|
||||
{name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
|
||||
{name: "map", format: "package main; var x «map[int]»int"},
|
||||
- {name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
|
||||
- {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
|
||||
- {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
|
||||
- {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2}, // Parser nodes: CompositeLit, KeyValueExpr
|
||||
+ {name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
|
||||
+ {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
|
||||
+ {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
|
||||
+ {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3}, // Parser nodes: CompositeLit, KeyValueExpr
|
||||
+ {name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"},
|
||||
{name: "dot", format: "package main; var x = «x.»x"},
|
||||
{name: "index", format: "package main; var x = x«[1]»"},
|
||||
{name: "slice", format: "package main; var x = x«[1:2]»"},
|
||||
10
golang.spec
10
golang.spec
@ -58,7 +58,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.15.7
|
||||
Release: 46
|
||||
Release: 47
|
||||
Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://golang.org/
|
||||
@ -265,6 +265,8 @@ Patch6120: 0120-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
|
||||
Patch6121: 0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
|
||||
Patch6122: 0122-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch
|
||||
Patch6123: 0123-Backport-net-http-send-body-or-close-connection-on-e.patch
|
||||
Patch6124: 0124-CVE-2024-34155-track-depth-in-nested-element-lists.patch
|
||||
|
||||
|
||||
Patch9001: 0001-drop-hard-code-cert.patch
|
||||
Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
|
||||
@ -504,6 +506,12 @@ fi
|
||||
%files devel -f go-tests.list -f go-misc.list -f go-src.list
|
||||
|
||||
%changelog
|
||||
* Fri Sep 13 2024 Yu Peng <yupeng@kylinos.cn> - 1.15.7-47
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-34155
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2024-34155
|
||||
|
||||
* Tue Aug 13 2024 hanchao <hanchao63@huawei.com> - 1.15.7-46
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-24791
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user