compress/gzip: stack exhaustion in Reader.Read

[tatianab]

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631.

(This was a PRIVATE issue tracked in http://b/231308989 and fixed by http://tg/1455673.)

/cc @golang/security and @golang/release

[tatianab]

this is for 1.17.12 and 1.18.4

[tatianab]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #53717 (for 1.17), #53718 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/417057 mentions this issue: [release-branch.go1.18] compress/gzip: fix stack exhaustion bug in Reader.Read

[gopherbot]

Change https://go.dev/cl/417067 mentions this issue: compress/gzip: fix stack exhaustion bug in Reader.Read

[gopherbot]

Change https://go.dev/cl/417071 mentions this issue: [release-branch.go1.17] compress/gzip: fix stack exhaustion bug in Reader.Read