| id: GO-2022-0171 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.6.4 |
| - introduced: 1.7.0-0 |
| fixed: 1.7.4 |
| vulnerable_at: 1.7.3 |
| packages: |
| - package: crypto/x509 |
| goos: |
| - darwin |
| symbols: |
| - FetchPEMRoots |
| - execSecurityRoots |
| skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)' |
| summary: Mishandled trust preferences for root certificates on Darwin in crypto/x509 |
| description: |- |
| On Darwin, user's trust preferences for root certificates were not honored. If |
| the user had a root certificate loaded in their Keychain that was explicitly not |
| trusted, a Go program would still verify a connection using that root |
| certificate. |
| published: 2022-05-24T20:17:59Z |
| cves: |
| - CVE-2017-1000097 |
| credits: |
| - Xy Ziemba |
| references: |
| - fix: https://go.dev/cl/33721 |
| - fix: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a |
| - report: https://go.dev/issue/18141 |
| - web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ |
| review_status: REVIEWED |