Skip to content

go/build/constraint: stack exhaustion in Parse (CVE-2024-34158) #69141

New issue
New issue
Closed
Closed
go/build/constraint: stack exhaustion in Parse (CVE-2024-34158)#69141
Labels
FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.24
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Aug 29, 2024

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

This is a PRIVATE issue for CVE-2024-34158, tracked in http://b/362587324 and fixed by
https://go-internal-review.git.corp.google.com/c/go/+/1540.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions