Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: panics on invalid curve instead of returning error [1.19 backport] #54295

Open
gopherbot opened this issue Aug 5, 2022 · 0 comments
Labels
CherryPickCandidate
Milestone

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Aug 5, 2022

@FiloSottile requested issue #54288 to be considered for backport to the next 1.19 minor release.

Ah, yeah, functions with an error return value should definitely return an error, not panic. I'll do a pass of all the marshal-side paths, and see if there are other issues like this.

@gopherbot please open a backport issue to Go 1.19. I don't think this is a security issue because the attacker can't control the curve of a certificate being marshaled, but panic'ing where we were returning an error is a regression and we should quash it.

@gopherbot gopherbot added the CherryPickCandidate label Aug 5, 2022
@gopherbot gopherbot added this to the Go1.19.1 milestone Aug 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CherryPickCandidate
Projects
None yet
Development

No branches or pull requests

1 participant