blob: 31621b1ddfefd5759b530e7a5e90a1c4aab1c1df [file] [log] [blame]
id: GO-2022-0209
modules:
- module: golang.org/x/crypto
versions:
- fixed: 0.0.0-20190320223903-b7391e95e576
vulnerable_at: 0.0.0-20190313024323-a1f597ede03a
packages:
- package: golang.org/x/crypto/salsa20/salsa
goarch:
- amd64
symbols:
- XORKeyStream
summary: Insufficiently random values in golang.org/x/crypto/salsa20
description: |-
XORKeyStream generates incorrect and insecure output for very large inputs.
If more than 256 GiB of keystream is generated, or if the counter otherwise
grows greater than 32 bits, the amd64 implementation will first generate
incorrect output, and then cycle back to previously generated keystream.
Repeated keystream bytes can lead to loss of confidentiality in encryption
applications, or to predictability in CSPRNG applications.
The issue might affect uses of golang.org/x/crypto/nacl with extremely large
messages.
Architectures other than amd64 and uses that generate less than 256 GiB of
keystream for a single salsa20.XORKeyStream invocation are unaffected.
published: 2022-07-01T20:15:25Z
cves:
- CVE-2019-11840
ghsas:
- GHSA-r5c5-pr8j-pfp7
credits:
- Michael McLoughlin
references:
- fix: https://go.dev/cl/168406
- fix: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
- report: https://go.dev/issue/30965
- web: https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ