[go/release-branch.go1.24] [release-branch.go1.24] net/textproto: avoid quadratic complexity in Reader.ReadResponse

1 view
Skip to first unread message

Gopher Robot (Gerrit)

unread,
Oct 7, 2025, 2:00:43 PM (18 hours ago) Oct 7
to Michael Pratt, Damien Neil, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.24] net/textproto: avoid quadratic complexity in Reader.ReadResponse

Reader.ReadResponse constructed a response string from repeated
string concatenation, permitting a malicious sender to cause excessive
memory allocation and CPU consumption by sending a response consisting
of many short lines.

Use a strings.Builder to construct the string instead.

Thanks to Jakub Ciolek for reporting this issue.

Fixes CVE-2025-61724
For #75716
Fixes #75717
Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
  • M src/net/textproto/reader.go
Change size: S
Delta: 1 file changed, 8 insertions(+), 3 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Carlos Amedee
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.24
Gerrit-Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
Gerrit-Change-Number: 709837
Gerrit-PatchSet: 2
Gerrit-Owner: Michael Pratt <mpr...@google.com>
Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
Gerrit-Reviewer: Gopher Robot <go...@golang.org>
Gerrit-Reviewer: Michael Pratt <mpr...@google.com>
Gerrit-CC: Damien Neil <dn...@google.com>
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Oct 7, 2025, 2:02:14 PM (18 hours ago) Oct 7
to Michael Pratt, Damien Neil, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.25] net/textproto: avoid quadratic complexity in Reader.ReadResponse


Reader.ReadResponse constructed a response string from repeated
string concatenation, permitting a malicious sender to cause excessive
memory allocation and CPU consumption by sending a response consisting
of many short lines.

Use a strings.Builder to construct the string instead.

Thanks to Jakub Ciolek for reporting this issue.

Fixes CVE-2025-61724
For #75716
Fixes #75718
Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
  • M src/net/textproto/reader.go
Change size: S
Delta: 1 file changed, 8 insertions(+), 3 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Carlos Amedee
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.25
Gerrit-Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
Gerrit-Change-Number: 709846
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Oct 7, 2025, 3:46:36 PM (16 hours ago) Oct 7
to Michael Pratt, Damien Neil, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
net/textproto: avoid quadratic complexity in Reader.ReadResponse


Reader.ReadResponse constructed a response string from repeated
string concatenation, permitting a malicious sender to cause excessive
memory allocation and CPU consumption by sending a response consisting
of many short lines.

Use a strings.Builder to construct the string instead.

Thanks to Jakub Ciolek for reporting this issue.

Fixes CVE-2025-61724
Fixes #75716
Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
  • M src/net/textproto/reader.go
Change size: S
Delta: 1 file changed, 8 insertions(+), 3 deletions(-)
Branch: refs/heads/master
Submit Requirements:
    • requirement satisfiedCode-Review: +2 by Carlos Amedee
    • requirement satisfiedTryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI, TryBot-Bypass+1 by Michael Pratt
    Open in Gerrit
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: merged
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
    Gerrit-Change-Number: 709859
    Gerrit-PatchSet: 2
    Gerrit-Owner: Michael Pratt <mpr...@google.com>
    Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
    open
    diffy
    satisfied_requirement
    Reply all
    Reply to author
    Forward
    0 new messages