data/reports/GO-2023-1992.yaml

id: GO-2023-1992
modules:
    - module: golang.org/x/crypto
      versions:
        - fixed: 0.0.0-20190424203555-c05e17bb3b2d
      vulnerable_at: 0.0.0-20190422183909-d864b10871cd
      packages:
        - package: golang.org/x/crypto/openpgp/clearsign
          symbols:
            - Decode
summary: Misleading message verification in golang.org/x/crypto/openpgp/clearsign
description: |-
    The clearsign package accepts some malformed messages, making it possible for an
    attacker to trick a human user (but not a Go program) into thinking unverified
    text is part of the message.

    With fix, messages with malformed headers in the SIGNED MESSAGE section are
    rejected.
cves:
    - CVE-2019-11841
ghsas:
    - GHSA-x3jr-pf6g-c48f
credits:
    - Aida Mynzhasova (SEC Consult Vulnerability Lab)
references:
    - fix: https://go-review.git.corp.google.com/c/crypto/+/173778
    - fix: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
    - web: https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ