| id: GO-2023-1992 |
| modules: |
| - module: golang.org/x/crypto |
| versions: |
| - fixed: 0.0.0-20190424203555-c05e17bb3b2d |
| vulnerable_at: 0.0.0-20190422183909-d864b10871cd |
| packages: |
| - package: golang.org/x/crypto/openpgp/clearsign |
| symbols: |
| - Decode |
| summary: Misleading message verification in golang.org/x/crypto/openpgp/clearsign |
| description: |- |
| The clearsign package accepts some malformed messages, making it possible for an |
| attacker to trick a human user (but not a Go program) into thinking unverified |
| text is part of the message. |
| |
| With fix, messages with malformed headers in the SIGNED MESSAGE section are |
| rejected. |
| cves: |
| - CVE-2019-11841 |
| ghsas: |
| - GHSA-x3jr-pf6g-c48f |
| credits: |
| - Aida Mynzhasova (SEC Consult Vulnerability Lab) |
| references: |
| - fix: https://go-review.git.corp.google.com/c/crypto/+/173778 |
| - fix: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 |
| - web: https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ |
| review_status: REVIEWED |