blob: 956c5ecd87c2a55bc569bf2d6797580e9f1983d4 [file] [log] [blame]
id: GO-2022-0229
modules:
- module: std
versions:
- fixed: 1.12.16
- introduced: 1.13.0-0
fixed: 1.13.7
vulnerable_at: 1.13.6
packages:
- package: crypto/x509
- module: golang.org/x/crypto
versions:
- fixed: 0.0.0-20200124225646-8b5121be2f68
vulnerable_at: 0.0.0-20200115085410-6d4e4cb37c7d
packages:
- package: golang.org/x/crypto/cryptobyte
summary: Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte
description: |-
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can be
made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
published: 2022-07-06T18:23:48Z
cves:
- CVE-2020-7919
ghsas:
- GHSA-cjjc-xp8v-855w
credits:
- Project Wycheproof
references:
- fix: https://go.dev/cl/216680
- fix: https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
- fix: https://go.dev/cl/216677
- report: https://go.dev/issue/36837
- web: https://groups.google.com/g/golang-announce/c/Hsw4mHYc470