security: fix CVE-2023-39326 [1.20 backport] #64434

gopherbot · 2023-11-28T21:25:28Z

@rolandshoemaker requested issue #64433 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.

gopherbot · 2023-12-05T16:23:18Z

Change https://go.dev/cl/547355 mentions this issue: [release-branch.go1.20] net/http: limit chunked data overhead

gopherbot · 2023-12-05T17:18:46Z

Closed by merging 6446af9 to release-branch.go1.20.

The chunked transfer encoding adds some overhead to the content transferred. When writing one byte per chunk, for example, there are five bytes of overhead per byte of data transferred: "1\r\nX\r\n" to send "X". Chunks may include "chunk extensions", which we skip over and do not use. For example: "1;chunk extension here\r\nX\r\n". A malicious sender can use chunk extensions to add about 4k of overhead per byte of data. (The maximum chunk header line size we will accept.) Track the amount of overhead read in chunked data, and produce an error if it seems excessive. Updates #64433 Fixes #64434 Fixes CVE-2023-39326 Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407 Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/547355 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

The chunked transfer encoding adds some overhead to the content transferred. When writing one byte per chunk, for example, there are five bytes of overhead per byte of data transferred: "1\r\nX\r\n" to send "X". Chunks may include "chunk extensions", which we skip over and do not use. For example: "1;chunk extension here\r\nX\r\n". A malicious sender can use chunk extensions to add about 4k of overhead per byte of data. (The maximum chunk header line size we will accept.) Track the amount of overhead read in chunked data, and produce an error if it seems excessive. Updates golang#64433 Fixes golang#64434 Fixes CVE-2023-39326 Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407 Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/547355 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Nov 28, 2023

gopherbot mentioned this issue Nov 28, 2023

net/http: limit chunked data overhead CVE-2023-39326 #64433

Closed

gopherbot added this to the Go1.20.12 milestone Nov 28, 2023

rolandshoemaker added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Nov 28, 2023

dmitshur added the release-blocker label Nov 29, 2023

gopherbot closed this as completed Dec 5, 2023

StephenButtolph mentioned this issue Dec 5, 2023

Update minimum golang version to v1.20.12 ava-labs/avalanchego#2427

Merged

This was referenced Dec 7, 2023

Golang 1.20.12 ava-labs/teleporter#184

Merged

Golang 1.20.12 ava-labs/awm-relayer#103

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: fix CVE-2023-39326 [1.20 backport] #64434

security: fix CVE-2023-39326 [1.20 backport] #64434

gopherbot commented Nov 28, 2023

gopherbot commented Dec 5, 2023

gopherbot commented Dec 5, 2023

security: fix CVE-2023-39326 [1.20 backport] #64434

security: fix CVE-2023-39326 [1.20 backport] #64434

Comments

gopherbot commented Nov 28, 2023

gopherbot commented Dec 5, 2023

gopherbot commented Dec 5, 2023