Skip to content

security: fix CVE-2023-45290 [1.21 backport] #65389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Jan 30, 2024 · 2 comments
Closed

security: fix CVE-2023-45290 [1.21 backport] #65389

gopherbot opened this issue Jan 30, 2024 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.21.8

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #65383 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 30, 2024
@gopherbot gopherbot mentioned this issue Jan 30, 2024
Closed
@gopherbot gopherbot added this to the Go1.21.7 milestone Jan 30, 2024
@neild neild added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 30, 2024
@gopherbot gopherbot modified the milestones: Go1.21.7, Go1.21.8 Feb 6, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/569240 mentions this issue: [release-branch.go1.21] net/textproto, mime/multipart: avoid unbounded read in MIME header

@gopherbot
Copy link
Contributor Author

Closed by merging bf80213 to release-branch.go1.21.

gopherbot pushed a commit that referenced this issue Mar 5, 2024
@neild @gopherbot
[release-branch.go1.21] net/textproto, mime/multipart: avoid unbounde…
bf80213 
…d read in MIME header

mime/multipart.Reader.ReadForm allows specifying the maximum amount
of memory that will be consumed by the form. While this limit is
correctly applied to the parsed form data structure, it was not
being applied to individual header lines in a form.

For example, when presented with a form containing a header line
that never ends, ReadForm will continue to read the line until it
runs out of memory.

Limit the amount of data consumed when reading a header.

Fixes CVE-2023-45290
Fixes #65389
For #65383

Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569240
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@StephenButtolph StephenButtolph mentioned this issue Mar 5, 2024
Merged
1 task
@golang golang locked and limited conversation to collaborators Mar 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.21.8
Development

No branches or pull requests
2 participants
@neild @gopherbot