Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/dsa: invalid public key causes panic in dsa.Verify #34960

Closed
katiehockman opened this issue Oct 17, 2019 · 6 comments

Comments

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Oct 17, 2019

Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking crypto/x509.(*CertificateRequest) CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.

The issue is CVE-2019-17596.

@katiehockman katiehockman added this to the Go1.14 milestone Oct 17, 2019
@katiehockman

This comment has been minimized.

Copy link
Member Author

@katiehockman katiehockman commented Oct 17, 2019

@gopherbot please open backport issues as this is a security issue

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Oct 17, 2019

Backport issue(s) opened: #34961 (for 1.12), #34962 (for 1.13).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@kevinburkemeter

This comment has been minimized.

Copy link

@kevinburkemeter kevinburkemeter commented Oct 17, 2019

I may be missing something, but I don't see this commit on or near tip of the master branch. Is Go 1.14/master not vulnerable to this issue?

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Oct 17, 2019

The announcement has more details about the impact: https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ

@kevinburkemeter We do the cherry-pick to master last, as we make no security promises about tip, making it low priority. This issue will be closed when that happens.

@kevinburkemeter

This comment has been minimized.

Copy link

@kevinburkemeter kevinburkemeter commented Oct 17, 2019

Ah, okay, thanks for the clarification. I got confused by the bot which says "as soon as the patch is submitted to master" which would seem to imply that's the first thing that happens.

amartinezfayo added a commit to amartinezfayo/spire that referenced this issue Oct 18, 2019
golang/go#34960
This PR bumps the 0.8 branch. A new release will be cut as soon as this is merged.

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
amartinezfayo added a commit to amartinezfayo/spire that referenced this issue Oct 18, 2019
golang/go#34960

This PR bumps the 0.8 branch. A new release will be cut as soon as this is merged.

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
L11R added a commit to ecies/go that referenced this issue Oct 28, 2019
bobvawter added a commit to bobvawter/cockroach that referenced this issue Oct 29, 2019
This change upgrades the go runtime to 1.12.12 in order to pick up a (security
fix)[golang/go#34960].

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: cockroachdb#41718

Release note (build change): The go runtime has been upgraded to 1.12.12.
bobvawter added a commit to bobvawter/cockroach that referenced this issue Oct 29, 2019
This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: cockroachdb#41718

Release note (build change): The go runtime has been upgraded to 1.12.12.
@bobvawter bobvawter referenced this issue Oct 29, 2019
3 of 4 tasks complete
bobvawter added a commit to bobvawter/cockroach that referenced this issue Oct 29, 2019
This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: cockroachdb#41718

Release note (build change): The go runtime has been upgraded to 1.12.12.
@bobvawter bobvawter referenced this issue Oct 29, 2019
3 of 4 tasks complete
craig bot pushed a commit to cockroachdb/cockroach that referenced this issue Oct 29, 2019
41901: storage/engine: centralize specification of pebble.Options r=petermattis a=petermattis

Fixes #41860

Release note: None

41993: build: Upgrade to go 1.12.12 r=bobvawter a=bobvawter

This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: #41718

Release note (build change): The go runtime has been upgraded to 1.12.12.

Co-authored-by: Peter Mattis <petermattis@gmail.com>
Co-authored-by: Bob Vawter <bob@cockroachlabs.com>
craig bot pushed a commit to cockroachdb/cockroach that referenced this issue Oct 29, 2019
41994: release-19.2: build: Upgrade to go 1.12.12 r=bobvawter a=bobvawter

Backport 1/1 commits from #41993.

/cc @cockroachdb/release

---

This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: #41718

Release note (build change): The go runtime has been upgraded to 1.12.12.


Co-authored-by: Bob Vawter <bob@cockroachlabs.com>
craig bot pushed a commit to cockroachdb/cockroach that referenced this issue Oct 29, 2019
41994: release-19.2: build: Upgrade to go 1.12.12 r=bobvawter a=bobvawter

Backport 1/1 commits from #41993.

/cc @cockroachdb/release

---

This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: #41718

Release note (build change): The go runtime has been upgraded to 1.12.12.


Co-authored-by: Bob Vawter <bob@cockroachlabs.com>
craig bot pushed a commit to cockroachdb/cockroach that referenced this issue Oct 30, 2019
41994: release-19.2: build: Upgrade to go 1.12.12 r=bobvawter a=bobvawter

Backport 1/1 commits from #41993.

/cc @cockroachdb/release

---

This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: #41718

Release note (build change): The go runtime has been upgraded to 1.12.12.


Co-authored-by: Bob Vawter <bob@cockroachlabs.com>
cirocosta added a commit to concourse/concourse that referenced this issue Oct 31, 2019
add the release note about building Concourse with go 1.13.2 to address
golang/go#34960 (CVE-2019-17596).

Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
cirocosta added a commit to concourse/concourse that referenced this issue Oct 31, 2019
add the release note about building Concourse with go 1.13.2 to address
golang/go#34960 (CVE-2019-17596).

Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Nov 5, 2019

Change https://golang.org/cl/205441 mentions this issue: crypto/dsa: prevent bad public keys from causing panic

@gopherbot gopherbot closed this in 552987f Nov 5, 2019
bobvawter added a commit to bobvawter/cockroach that referenced this issue Nov 11, 2019
This change upgrades the go runtime to 1.12.12 in order to pick up a [security
fix](golang/go#34960).

Per the [checklist](build/README.md):
* [X] Adjust version in Docker image
* [X] Rebuild the Docker image and bump the version in builder.sh accordingly
* [ ] ~Bump the version in go-version-check.sh~ (Patch release, not necessary)
* [X] Bump the default installed version of Go in bootstrap-debian.sh

Fixes: cockroachdb#41718

Release note (build change): The go runtime has been upgraded to 1.12.12.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.