diff options
author | Katie Hockman <katie@golang.org> | 2021-03-01 09:54:00 -0500 |
---|---|---|
committer | Katie Hockman <katiehockman@google.com> | 2021-03-09 17:43:02 +0000 |
commit | 91062c2e4cbbf78a108919f6ed3ded1173937cf3 (patch) | |
tree | 6f04b2f35c33c61d0c73f6143dda8168aa7a7279 /VERSION | |
parent | fa6752a5370735b8c2404d6de5191f2eea67130f (diff) | |
download | go-91062c2e4cbbf78a108919f6ed3ded1173937cf3.tar.gz go-91062c2e4cbbf78a108919f6ed3ded1173937cf3.zip |
[release-branch.go1.15-security] encoding/xml: prevent infinite loop while decoding
This change properly handles a TokenReader which
returns an EOF in the middle of an open XML
element.
Thanks to Sam Whited for reporting this.
Fixes CVE-2021-27918
Change-Id: Id02a3f3def4a1b415fa2d9a8e3b373eb6cb0f433
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004594
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit e7ce1f6746223ec7b4caa3b1ece25d9be3864710)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1014236
Diffstat (limited to 'VERSION')
0 files changed, 0 insertions, 0 deletions