data/reports/GO-2020-0012.yaml - vulndb - Git at Google

 modules:
   - module: golang.org/x/crypto
     versions:
       - fixed: 0.0.0-20200220183623-bac4c82f6975
     vulnerable_at: 0.0.0-20200219234226-1ad67e1f0ef4
     packages:
       - package: golang.org/x/crypto/ssh
         symbols:
           - parseED25519
           - ed25519PublicKey.Verify
           - parseSKEd25519
           - skEd25519PublicKey.Verify
           - NewPublicKey
         derived_symbols:
           - CertChecker.Authenticate
           - CertChecker.CheckCert
           - CertChecker.CheckHostKey
           - Certificate.Verify
           - Dial
           - NewClientConn
           - NewServerConn
           - NewSignerFromKey
           - NewSignerFromSigner
           - ParseAuthorizedKey
           - ParseKnownHosts
           - ParsePrivateKey
           - ParsePrivateKeyWithPassphrase
           - ParsePublicKey
           - ParseRawPrivateKey
           - ParseRawPrivateKeyWithPassphrase
 description: |
     An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
     key, such that the library will panic when trying to verify a signature
     with it. If verifying signatures using user supplied public keys, this
     may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2020-9283
 ghsas:
   - GHSA-ffhg-7mh4-33c4
 credit: Alex Gaynor, Fish in a Barrel
 references:
   - fix: https://go.dev/cl/220357
   - fix: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
   - web: https://groups.google.com/g/golang-announce/c/3L45YRc91SY
	modules:
	- module: golang.org/x/crypto
	versions:
	- fixed: 0.0.0-20200220183623-bac4c82f6975
	vulnerable_at: 0.0.0-20200219234226-1ad67e1f0ef4
	packages:
	- package: golang.org/x/crypto/ssh
	symbols:
	- parseED25519
	- ed25519PublicKey.Verify
	- parseSKEd25519
	- skEd25519PublicKey.Verify
	- NewPublicKey
	derived_symbols:
	- CertChecker.Authenticate
	- CertChecker.CheckCert
	- CertChecker.CheckHostKey
	- Certificate.Verify
	- Dial
	- NewClientConn
	- NewServerConn
	- NewSignerFromKey
	- NewSignerFromSigner
	- ParseAuthorizedKey
	- ParseKnownHosts
	- ParsePrivateKey
	- ParsePrivateKeyWithPassphrase
	- ParsePublicKey
	- ParseRawPrivateKey
	- ParseRawPrivateKeyWithPassphrase
	description: \|
	An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
	key, such that the library will panic when trying to verify a signature
	with it. If verifying signatures using user supplied public keys, this
	may be used as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-9283
	ghsas:
	- GHSA-ffhg-7mh4-33c4
	credit: Alex Gaynor, Fish in a Barrel
	references:
	- fix: https://go.dev/cl/220357
	- fix: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
	- web: https://groups.google.com/g/golang-announce/c/3L45YRc91SY