diff options
| author | Dmitri Shuralyov <dmitshur@golang.org> | 2020-01-28 13:20:57 -0500 |
|---|---|---|
| committer | Dmitri Shuralyov <dmitshur@golang.org> | 2020-01-28 20:26:36 +0000 |
| commit | b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574 (patch) | |
| tree | 74d4ed6d478c2fc21a3ecab301aae55d6675defe /src/go.mod | |
| parent | a858d15f11f87b53792a6afb156716b80f9634c7 (diff) | |
| download | go-b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574.tar.gz go-b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574.zip | |
src/go.mod: import x/crypto/cryptobyte security fix for 32-bit archs
cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs
When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String.
Tested on linux/386 and darwin/amd64.
This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
test vectors.
Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/216677
Run-TryBot: Katie Hockman <katie@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).
Change-Id: I840feb54eba880dbb96780ef7adcade073c4c4e3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647741
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/216680
Reviewed-by: Katie Hockman <katie@golang.org>
Diffstat (limited to 'src/go.mod')
| -rw-r--r-- | src/go.mod | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/go.mod b/src/go.mod index 3ef0710745..72114080ce 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,7 +3,7 @@ module std go 1.14 require ( - golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 + golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect |