Cypherpunks repositories - gostls13.git/commit

author	Filippo Valsorda <filippo@golang.org>
	Fri, 24 Jan 2020 23:04:20 +0000 (18:04 -0500)
committer	Filippo Valsorda <valsorda@google.com>
	Fri, 24 Jan 2020 23:41:10 +0000 (23:41 +0000)
commit	f938e06d0623d0e1de202575d16f1e126741f6e0
tree	19ddaa047c8bd77bb42b55d8357ce345ad3fc4a0	tree
parent	0cfa6f6086a0361f98bef4100ccc2e68bec02ccb	commit \| diff

[release-branch.go1.13-security] src/go.mod: import x/crypto/cryptobyte security fix for 32-bit archs

    cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs

    When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
    overflow could occur, causing a panic, due to malformed ASN.1 being
    passed to any of the ASN1 methods of String.

    Tested on linux/386 and darwin/amd64.

    This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
    test vectors.

    Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Adam Langley <agl@google.com>
x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).

Change-Id: I840feb54eba880dbb96780ef7adcade073c4c4e3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647741
Reviewed-by: Katie Hockman <katiehockman@google.com>

src/go.mod		diff \| blob \| history
src/go.sum		diff \| blob \| history
src/vendor/golang.org/x/crypto/cryptobyte/asn1.go		diff \| blob \| history
src/vendor/golang.org/x/crypto/cryptobyte/string.go		diff \| blob \| history
src/vendor/modules.txt		diff \| blob \| history