Skip to content

security: fix CVE-2023-45290 [1.22 backport] #65850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
neild opened this issue Feb 21, 2024 · 2 comments
Closed

security: fix CVE-2023-45290 [1.22 backport] #65850

neild opened this issue Feb 21, 2024 · 2 comments
Assignees
@neild
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.22.1

Comments

@neild
Copy link
Contributor

neild commented Feb 21, 2024

Backport issue for PRIVATE track security issue #65383.
@neild neild added Security CherryPickApproved Used during the release process for point releases labels Feb 21, 2024
@neild neild added this to the Go1.22.1 milestone Feb 21, 2024
@neild neild self-assigned this Feb 21, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/569237 mentions this issue: [release-branch.go1.22] net/textproto, mime/multipart: avoid unbounded read in MIME header

gopherbot pushed a commit that referenced this issue Mar 5, 2024
@neild @gopherbot
[release-branch.go1.22] net/textproto, mime/multipart: avoid unbounde…
041a477 
…d read in MIME header

mime/multipart.Reader.ReadForm allows specifying the maximum amount
of memory that will be consumed by the form. While this limit is
correctly applied to the parsed form data structure, it was not
being applied to individual header lines in a form.

For example, when presented with a form containing a header line
that never ends, ReadForm will continue to read the line until it
runs out of memory.

Limit the amount of data consumed when reading a header.

Fixes CVE-2023-45290
Fixes #65850
For #65383

Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174345
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569237
Reviewed-by: Carlos Amedee <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
@gopherbot
Copy link
Contributor

Closed by merging 041a477 to release-branch.go1.22.

bradfitz pushed a commit to tailscale/go that referenced this issue Mar 5, 2024
@neild @bradfitz
[release-branch.go1.22] net/textproto, mime/multipart: avoid unbounde…
56c3d20 
…d read in MIME header

mime/multipart.Reader.ReadForm allows specifying the maximum amount
of memory that will be consumed by the form. While this limit is
correctly applied to the parsed form data structure, it was not
being applied to individual header lines in a form.

For example, when presented with a form containing a header line
that never ends, ReadForm will continue to read the line until it
runs out of memory.

Limit the amount of data consumed when reading a header.

Fixes CVE-2023-45290
Fixes golang#65850
For golang#65383

Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174345
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569237
Reviewed-by: Carlos Amedee <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Mar 6, 2024
@neild @romaindoumenc
[release-branch.go1.22] net/textproto, mime/multipart: avoid unbounde…
c1324bf 
…d read in MIME header

mime/multipart.Reader.ReadForm allows specifying the maximum amount
of memory that will be consumed by the form. While this limit is
correctly applied to the parsed form data structure, it was not
being applied to individual header lines in a form.

For example, when presented with a form containing a header line
that never ends, ReadForm will continue to read the line until it
runs out of memory.

Limit the amount of data consumed when reading a header.

Fixes CVE-2023-45290
Fixes golang#65850
For golang#65383

Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174345
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569237
Reviewed-by: Carlos Amedee <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
@golang golang locked and limited conversation to collaborators Mar 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@neild neild

Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.22.1
Development

No branches or pull requests
2 participants
@neild @gopherbot