4eff8aee0d
CVE-2022-30635,CVE-2022-30632,CVE-2022-28131, CVE-2022-30631,CVE-2022-30629,CVE-2022-30634 Conflict: CVE-2022-1962: src/go/parser/parser.go CVE-2022-1705: src/net/http/transfer.go CVE-2022-30634: src/crypto/rand/rand.go, src/crypto/rand/rand_windows.go Score: CVE-2022-32148: 5.3 CVE-2022-1962: 6.2 CVE-2022-1705: 5.3 CVE-2022-30633: 6.2 CVE-2022-30635: 5.5 CVE-2022-30632: 6.2 CVE-2022-28131: 6.2 CVE-2022-30631: 7.5 CVE-2022-30629: 2.6 CVE-2022-30634: 7.5 Reference: CVE-2022-32148: https://go-review.googlesource.com/c/go/+/415221 CVE-2022-1962: https://go-review.googlesource.com/c/go/+/417070 CVE-2022-1705: https://go-review.googlesource.com/c/go/+/415217 CVE-2022-30633: https://go-review.googlesource.com/c/go/+/417069 CVE-2022-30635: https://go-review.googlesource.com/c/go/+/417074 CVE-2022-30632: https://go-review.googlesource.com/c/go/+/417073 CVE-2022-28131: https://go-review.googlesource.com/c/go/+/417068 CVE-2022-30631: https://go-review.googlesource.com/c/go/+/417071 CVE-2022-30629: https://go-review.googlesource.com/c/go/+/408574 CVE-2022-30634: https://go-review.googlesource.com/c/go/+/406635 Reason: fix CVE CVE-2022-32148: 0064-release-branch.go1.17-net-http-preserve-nil-values-i.patch CVE-2022-1962: 0065-release-branch.go1.17-go-parser-limit-recursion-dept.patch CVE-2022-1705: 0066-release-branch.go1.17-net-http-don-t-strip-whitespac.patch CVE-2022-30633: 0067-release-branch.go1.17-encoding-xml-limit-depth-of-ne.patch CVE-2022-30635: 0068-release-branch.go1.17-encoding-gob-add-a-depth-limit.patch CVE-2022-30632: 0069-release-branch.go1.17-path-filepath-fix-stack-exhaus.patch CVE-2022-28131: 0070-release-branch.go1.17-encoding-xml-use-iterative-Ski.patch CVE-2022-30631: 0071-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch CVE-2022-30629: 0072-release-branch.go1.17-crypto-tls-randomly-generate-t.patch CVE-2022-30634: 0073-release-branch.go1.17-crypto-rand-properly-handle-la.patch
90 lines
2.9 KiB
Diff
90 lines
2.9 KiB
Diff
From 472c7e454d5d2a6afbc5494d55e0955c4f2a6990 Mon Sep 17 00:00:00 2001
|
|
From: Julie Qiu <julieqiu@google.com>
|
|
Date: Thu, 23 Jun 2022 23:18:56 +0000
|
|
Subject: [PATCH 06/10] [release-branch.go1.17] path/filepath: fix stack
|
|
exhaustion in Glob
|
|
|
|
A limit is added to the number of path separators allowed by an input to
|
|
Glob, to prevent stack exhaustion issues.
|
|
|
|
Thanks to Juho Nurminen of Mattermost who reported the issue.
|
|
|
|
Fixes #53713
|
|
Updates #53416
|
|
Fixes CVE-2022-30632
|
|
|
|
Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176
|
|
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
|
(cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39)
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/417073
|
|
Reviewed-by: Heschi Kreinick <heschi@google.com>
|
|
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Run-TryBot: Michael Knyszek <mknyszek@google.com>
|
|
|
|
Conflict: NA
|
|
Reference: https://go-review.googlesource.com/c/go/+/417073
|
|
---
|
|
src/path/filepath/match.go | 16 +++++++++++++++-
|
|
src/path/filepath/match_test.go | 10 ++++++++++
|
|
2 files changed, 25 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
|
|
index 20a334805ba..b6a3b450fe8 100644
|
|
--- a/src/path/filepath/match.go
|
|
+++ b/src/path/filepath/match.go
|
|
@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
|
|
// The only possible returned error is ErrBadPattern, when pattern
|
|
// is malformed.
|
|
func Glob(pattern string) (matches []string, err error) {
|
|
+ return globWithLimit(pattern, 0)
|
|
+}
|
|
+
|
|
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
|
|
+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
|
|
+ const pathSeparatorsLimit = 10000
|
|
+ if depth == pathSeparatorsLimit {
|
|
+ return nil, ErrBadPattern
|
|
+ }
|
|
+
|
|
+ // Check pattern is well-formed.
|
|
+ if _, err := Match(pattern, ""); err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
if !hasMeta(pattern) {
|
|
if _, err = os.Lstat(pattern); err != nil {
|
|
return nil, nil
|
|
@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
|
|
}
|
|
|
|
var m []string
|
|
- m, err = Glob(dir)
|
|
+ m, err = globWithLimit(dir, depth+1)
|
|
if err != nil {
|
|
return
|
|
}
|
|
diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
|
|
index b8657626bc7..c37c812181f 100644
|
|
--- a/src/path/filepath/match_test.go
|
|
+++ b/src/path/filepath/match_test.go
|
|
@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
|
|
}
|
|
}
|
|
|
|
+func TestCVE202230632(t *testing.T) {
|
|
+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
|
|
+ // large number of separators (more than 4,000,000). There is now a limit
|
|
+ // of 10,000.
|
|
+ _, err := Glob("/*" + strings.Repeat("/", 10001))
|
|
+ if err != ErrBadPattern {
|
|
+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
|
|
+ }
|
|
+}
|
|
+
|
|
func TestGlobError(t *testing.T) {
|
|
_, err := Glob("[]")
|
|
if err == nil {
|
|
--
|
|
2.30.2
|
|
|