Google Git
Sign in
go / go / b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
commitb13ce14c4a6aa59b7b041ad2b6eed2d23e15b574[log] [tgz]
authorDmitri Shuralyov <dmitshur@golang.org>Tue Jan 28 13:20:57 2020 -0500
committerDmitri Shuralyov <dmitshur@golang.org>Tue Jan 28 20:26:36 2020 +0000
tree74d4ed6d478c2fc21a3ecab301aae55d6675defe
parenta858d15f11f87b53792a6afb156716b80f9634c7 [diff]
src/go.mod: import x/crypto/cryptobyte security fix for 32-bit archs

	cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs

	When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
	overflow could occur, causing a panic, due to malformed ASN.1 being
	passed to any of the ASN1 methods of String.

	Tested on linux/386 and darwin/amd64.

	This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
	test vectors.

	Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
	Reviewed-by: Katie Hockman <katiehockman@google.com>
	Reviewed-by: Adam Langley <agl@google.com>
	Reviewed-on: https://go-review.googlesource.com/c/crypto/+/216677
	Run-TryBot: Katie Hockman <katie@golang.org>
	Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
	Reviewed-by: Filippo Valsorda <filippo@golang.org>
	TryBot-Result: Gobot Gobot <gobot@golang.org>

x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).

Change-Id: I840feb54eba880dbb96780ef7adcade073c4c4e3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647741
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/216680
Reviewed-by: Katie Hockman <katie@golang.org>
5 files changed
tree: 74d4ed6d478c2fc21a3ecab301aae55d6675defe
  1. .github/
  2. api/
  3. doc/
  4. lib/
  5. misc/
  6. src/
  7. test/
  8. .gitattributes
  9. .gitignore
  10. AUTHORS
  11. CONTRIBUTING.md
  12. CONTRIBUTORS
  13. favicon.ico
  14. LICENSE
  15. PATENTS
  16. README.md
  17. robots.txt
  18. SECURITY.md
README.md

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.

Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at https://golang.org/dl/.

After downloading a binary release, visit https://golang.org/doc/install or load doc/install.html in your web browser for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source or load doc/install-source.html in your web browser for source installation instructions.

Contributing

Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines: https://golang.org/doc/contribute.html

Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.