blob: 931ddc0a1412909dfe2c3ce0c813035f285ca014 [file] [log] [blame]
id: GO-2023-1992
modules:
- module: golang.org/x/crypto
versions:
- fixed: 0.0.0-20190424203555-c05e17bb3b2d
vulnerable_at: 0.0.0-20190422183909-d864b10871cd
packages:
- package: golang.org/x/crypto/openpgp/clearsign
symbols:
- Decode
summary: Misleading message verification in golang.org/x/crypto/openpgp/clearsign
description: |-
The clearsign package accepts some malformed messages, making it possible for an
attacker to trick a human user (but not a Go program) into thinking unverified
text is part of the message.
With fix, messages with malformed headers in the SIGNED MESSAGE section are
rejected.
cves:
- CVE-2019-11841
ghsas:
- GHSA-x3jr-pf6g-c48f
credits:
- Aida Mynzhasova (SEC Consult Vulnerability Lab)
references:
- fix: https://go-review.git.corp.google.com/c/crypto/+/173778
- fix: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
- web: https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ
review_status: REVIEWED