mirror of
https://github.com/golang/go
synced 2024-11-11 19:31:37 -07:00
2116d60993
Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates #51853 Fixes #52036 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Filippo Valsorda <valsorda@google.com> (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399816 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> |
||
---|---|---|
.. | ||
archive | ||
bufio | ||
builtin | ||
bytes | ||
cmd | ||
compress | ||
container | ||
context | ||
crypto | ||
database/sql | ||
debug | ||
embed | ||
encoding | ||
errors | ||
expvar | ||
flag | ||
fmt | ||
go | ||
hash | ||
html | ||
image | ||
index/suffixarray | ||
internal | ||
io | ||
log | ||
math | ||
mime | ||
net | ||
os | ||
path | ||
plugin | ||
reflect | ||
regexp | ||
runtime | ||
sort | ||
strconv | ||
strings | ||
sync | ||
syscall | ||
testdata | ||
testing | ||
text | ||
time | ||
unicode | ||
unsafe | ||
vendor | ||
all.bash | ||
all.bat | ||
all.rc | ||
bootstrap.bash | ||
buildall.bash | ||
clean.bash | ||
clean.bat | ||
clean.rc | ||
cmp.bash | ||
go.mod | ||
go.sum | ||
make.bash | ||
make.bat | ||
Make.dist | ||
make.rc | ||
race.bash | ||
race.bat | ||
README.vendor | ||
run.bash | ||
run.bat | ||
run.rc |
Vendoring in std and cmd ======================== The Go command maintains copies of external packages needed by the standard library in the src/vendor and src/cmd/vendor directories. In GOPATH mode, imports of vendored packages are resolved to these directories following normal vendor directory logic (see golang.org/s/go15vendor). In module mode, std and cmd are modules (defined in src/go.mod and src/cmd/go.mod). When a package outside std or cmd is imported by a package inside std or cmd, the import path is interpreted as if it had a "vendor/" prefix. For example, within "crypto/tls", an import of "golang.org/x/crypto/cryptobyte" resolves to "vendor/golang.org/x/crypto/cryptobyte". When a package with the same path is imported from a package outside std or cmd, it will be resolved normally. Consequently, a binary may be built with two copies of a package at different versions if the package is imported normally and vendored by the standard library. Vendored packages are internally renamed with a "vendor/" prefix to preserve the invariant that all packages have distinct paths. This is necessary to avoid compiler and linker conflicts. Adding a "vendor/" prefix also maintains the invariant that standard library packages begin with a dotless path element. The module requirements of std and cmd do not influence version selection in other modules. They are only considered when running module commands like 'go get' and 'go mod vendor' from a directory in GOROOT/src. Maintaining vendor directories ============================== Before updating vendor directories, ensure that module mode is enabled. Make sure GO111MODULE=off is not set ('on' or 'auto' should work). Requirements may be added, updated, and removed with 'go get'. The vendor directory may be updated with 'go mod vendor'. A typical sequence might be: cd src go get -d golang.org/x/net@latest go mod tidy go mod vendor Use caution when passing '-u' to 'go get'. The '-u' flag updates modules providing all transitively imported packages, not only the module providing the target package. Note that 'go mod vendor' only copies packages that are transitively imported by packages in the current module. If a new package is needed, it should be imported before running 'go mod vendor'.