Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.

...

3 commits
7 files changed
2 contributors

Commits on Jan 24, 2020

[release-branch.go1.13-security] crypto/x509: mitigate CVE-2020-0601 …

…verification bypass on Windows

An attacker can trick the Windows system verifier to use a poisoned set
of elliptic curve parameters for a trusted root, allowing it to generate
spoofed signatures. When this happens, the returned chain will present
the unmodified original root, so the actual signatures won't verify (as
they are invalid for the correct parameters). Simply double check them
as a safety measure and mitigation.

Windows users should still install the system security patch ASAP.

This is the same mitigation adopted by Chromium:

https://chromium-review.googlesource.com/c/chromium/src/+/1994434

Change-Id: I2c734f6fb2cb51d906c7fd77034318ffeeb3e146
Reviewed-on: https://go-review.googlesource.com/c/go/+/215905
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Ryan Sleevi <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647123
Reviewed-by: Filippo Valsorda <[email protected]>

FiloSottile authored and katiehockman committed Jan 24, 2020

[release-branch.go1.13-security] src/go.mod: import x/crypto/cryptoby…

…te security fix for 32-bit archs

    cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs

    When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
    overflow could occur, causing a panic, due to malformed ASN.1 being
    passed to any of the ASN1 methods of String.

    Tested on linux/386 and darwin/amd64.

    This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
    test vectors.

    Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
    Reviewed-by: Katie Hockman <[email protected]>
    Reviewed-by: Adam Langley <[email protected]>

x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).

Change-Id: I840feb54eba880dbb96780ef7adcade073c4c4e3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647741
Reviewed-by: Katie Hockman <[email protected]>

FiloSottile committed Jan 24, 2020

Commits on Jan 27, 2020

[release-branch.go1.13-security] go1.13.7
```
Change-Id: I4e9b0a8eee1ea6a0854eab88a2daf77b21da549a
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/649300
Reviewed-by: Katie Hockman <[email protected]>
```
dmitshur committed Jan 27, 2020
Configuration menu
View commit details

Copy full SHA for 7d2473d

Browse repository at this point
Copy the full SHA

7d2473d View commit details

Browse the repository at this point in the history