Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
encoding/asn1: truncated ASN.1 with explicitly tagged elements can panic. #11154
Thanks to Kyle Isom for fuzzing and finding that it's possible to panic encoding/asn1.Unmarshal when ASN.1 data is truncated after an explicit tag.
This can affect the parsing of various ASN.1 structures, most importantly X.509 certificates. TLS servers without client-authentication enabled (which is the vast majority of them) should be unaffected. Also, even with client-authentication enabled, calling code often catches and handles any panics.
TLS clients can be forced into panicking if the server sends a suitably crafted certificate.