Skip to content

go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155) #69138

New issue
New issue
Closed
Closed
go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155)#69138
Labels
FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.24
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Aug 29, 2024

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

This is a PRIVATE issue for CVE-2024-34155, tracked in http://b/362588373 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1520.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions