[go/release-branch.go1.24] [release-branch.go1.24] encoding/pem: make Decode complexity linear
1 view
Skip to first unread message
Gopher Robot (Gerrit)
Oct 7, 2025, 2:01:03 PM (18 hours ago) Oct 7
to Roland Shoemaker, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.24] encoding/pem: make Decode complexity linear
Because Decode scanned the input first for the first BEGIN line, and
then the first END line, the complexity of Decode is quadratic. If the
input contained a large number of BEGINs and then a single END right at
the end of the input, we would find the first BEGIN, and then scan the
entire input for the END, and fail to parse the block, so move onto the
next BEGIN, scan the entire input for the END, etc.
Instead, look for the first END in the input, and then the first BEGIN
that precedes the found END. We then process the bytes between the BEGIN
and END, and move onto the bytes after the END for further processing.
This gives us linear complexity.
Fixes CVE-2025-61723
For #75676
Fixes #75708
Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709842
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
- M src/encoding/pem/pem.go
- M src/encoding/pem/pem_test.go
Change size: M
Delta: 2 files changed, 44 insertions(+), 36 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Michael Pratt (Gerrit)
Oct 7, 2025, 2:04:20 PM (18 hours ago) Oct 7
to Roland Shoemaker, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, golang-co...@googlegroups.com
Michael Pratt submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.25] encoding/pem: make Decode complexity linear
Because Decode scanned the input first for the first BEGIN line, and
then the first END line, the complexity of Decode is quadratic. If the
input contained a large number of BEGINs and then a single END right at
the end of the input, we would find the first BEGIN, and then scan the
entire input for the END, and fail to parse the block, so move onto the
next BEGIN, scan the entire input for the END, etc.
Instead, look for the first END in the input, and then the first BEGIN
that precedes the found END. We then process the bytes between the BEGIN
and END, and move onto the bytes after the END for further processing.
This gives us linear complexity.
Fixes CVE-2025-61723
For #75676
Fixes #75709
Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709851
Reviewed-by: Carlos Amedee <car...@golang.org>
Auto-Submit: Michael Pratt <mpr...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Files:
- M src/encoding/pem/pem.go
- M src/encoding/pem/pem_test.go
Change size: M
Delta: 2 files changed, 44 insertions(+), 36 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 3:46:33 PM (16 hours ago) Oct 7
to Roland Shoemaker, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
encoding/pem: make Decode complexity linear
Because Decode scanned the input first for the first BEGIN line, and
then the first END line, the complexity of Decode is quadratic. If the
input contained a large number of BEGINs and then a single END right at
the end of the input, we would find the first BEGIN, and then scan the
entire input for the END, and fail to parse the block, so move onto the
next BEGIN, scan the entire input for the END, etc.
Instead, look for the first END in the input, and then the first BEGIN
that precedes the found END. We then process the bytes between the BEGIN
and END, and move onto the bytes after the END for further processing.
This gives us linear complexity.
Fixes CVE-2025-61723
Fixes #75676
Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709858
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
- M src/encoding/pem/pem.go
- M src/encoding/pem/pem_test.go
Change size: M
Delta: 2 files changed, 44 insertions(+), 36 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI, TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages