CVE-2022-23772 security vulnerability in Go 1.16.x and 1.17.x

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec

Apache License 2.0

4.68k stars 312 forks source link

CVE-2022-23772 security vulnerability in Go 1.16.x and 1.17.x #103

Closed otramony closed 2 years ago

otramony commented 2 years ago

Is gosu affected by this security vulnerability?

https://nvd.nist.gov/vuln/detail/CVE-2022-23772

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

tianon commented 2 years ago

The only "math" stdlib imported even in our transitive dependencies is math/bits (let alone used) -- gosu itself definitely is not using math/big.