blob: 72b94d0c1d14595fbd2ae386da14f41b823f25ca [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0213",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-05-24T20:14:11Z",
"aliases": [
"CVE-2019-17596"
],
"summary": "Panic on invalid DSA public keys in crypto/dsa",
"details": "Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.\n\nMoreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.11"
},
{
"introduced": "1.13.0-0"
},
{
"fixed": "1.13.2"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "crypto/dsa",
"symbols": [
"Verify"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/205441"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/552987fdbf4c2bc9641016fd323c3ae5d3a0d9a3"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/34960"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/lVEm7llp0w0/m/VbafyRkgCgAJ"
}
],
"credits": [
{
"name": "Daniel M"
},
{
"name": "ragona"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0213"
}
}