| commit | 8b5121be2f68d8fc40bb06467003bdde1040a094 | [log] [tgz] |
|---|---|---|
| author | Filippo Valsorda <filippo@golang.org> | Wed Jan 22 16:59:53 2020 -0500 |
| committer | Filippo Valsorda <valsorda@google.com> | Fri Jan 24 22:56:46 2020 +0000 |
| tree | 76cd6ce4eb13fcbf6e34e6ed644eb12399b7e160 | |
| parent | 5c40567a22f818bd14a1ea7245dad9f8ef0691aa [diff] |
[release-branch.go1.13] cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs When int is 32 bits wide (on 32-bit architectures like 386 and arm), an overflow could occur, causing a panic, due to malformed ASN.1 being passed to any of the ASN1 methods of String. Tested on linux/386 and darwin/amd64. This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof test vectors. Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211 Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-by: Adam Langley <agl@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647740
This repository holds supplementary Go cryptography libraries.
The easiest way to install is to run go get -u golang.org/x/crypto/.... You can also manually git clone the repository to $GOPATH/src/golang.org/x/crypto.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the crypto repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.
Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.