go parser

About this tag
The go parser tag covers discussions about the Go programming language's standard library parser, particularly the go/parser package. Recent content focuses on CVE-2024-34155, a stack exhaustion vulnerability in Go's Parse* functions that can cause a panic when processing deeply nested source code. The vulnerability was fixed in Go 1.22.7 and 1.23.1. Microsoft's Azure Linux distribution is noted as a known carrier of the vulnerable library, though this attestation is a scoped inventory statement. Topics include security fixes, vulnerability management, and the impact on enterprise environments using Go-based tools.
  1. Go Parser Stack Exhaustion CVE-2024-34155: Fixes and Azure Linux Attestation

    Calling any of Go's Parse* functions on specially crafted, deeply nested source can exhaust the stack and trigger a panic — a vulnerability tracked as CVE-2024-34155 that sits in the go/parser standard library and has been fixed in the Go 1.22.7 and 1.23.1 releases; Microsoft’s public...