CVE-2022-23772 security vulnerability in Go 1.16.x and 1.17.x

Question

CVE-2022-23772 security vulnerability in Go 1.16.x and 1.17.x

otramony opened this issue 2 years ago · 1 comments

Is gosu affected by this security vulnerability?

https://nvd.nist.gov/vuln/detail/CVE-2022-23772

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

Answer 1 · 2022-03-09T17:08:35.000Z

The only "math" stdlib imported even in our transitive dependencies is math/bits (let alone used) -- gosu itself definitely is not using math/big.