data/reports/GO-2020-0012.yaml - vulndb - Git at Google

 modules:
   - module: golang.org/x/crypto
     versions:
       - fixed: 0.0.0-20200220183623-bac4c82f6975
     packages:
       - package: golang.org/x/crypto/ssh
         symbols:
           - parseED25519
           - ed25519PublicKey.Verify
           - parseSKEd25519
           - skEd25519PublicKey.Verify
           - NewPublicKey
 description: |
     An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
     key, such that the library will panic when trying to verify a signature
     with it. If verifying signatures using user supplied public keys, this
     may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2020-9283
 ghsas:
   - GHSA-ffhg-7mh4-33c4
 credit: Alex Gaynor, Fish in a Barrel
 references:
   - fix: https://go.dev/cl/220357
   - fix: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
   - web: https://groups.google.com/g/golang-announce/c/3L45YRc91SY
	modules:
	- module: golang.org/x/crypto
	versions:
	- fixed: 0.0.0-20200220183623-bac4c82f6975
	packages:
	- package: golang.org/x/crypto/ssh
	symbols:
	- parseED25519
	- ed25519PublicKey.Verify
	- parseSKEd25519
	- skEd25519PublicKey.Verify
	- NewPublicKey
	description: \|
	An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
	key, such that the library will panic when trying to verify a signature
	with it. If verifying signatures using user supplied public keys, this
	may be used as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-9283
	ghsas:
	- GHSA-ffhg-7mh4-33c4
	credit: Alex Gaynor, Fish in a Barrel
	references:
	- fix: https://go.dev/cl/220357
	- fix: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
	- web: https://groups.google.com/g/golang-announce/c/3L45YRc91SY