Commit 44bb3b4b authored by Katie Hockman's avatar Katie Hockman Committed by Katie Hockman
Browse files

[release-branch.go1.12-security] internal/x/crypto/cryptobyte: import security fix for 32-bit archs 

    cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs

    When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
    overflow could occur, causing a panic, due to malformed ASN.1 being
    passed to any of the ASN1 methods of String.

    Tested on linux/386 and darwin/amd64.

    This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
    test vectors.

    Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211


    Reviewed-by: default avatarKatie Hockman <katiehockman@google.com>
    Reviewed-by: default avatarAdam Langley <agl@google.com>

x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).

Change-Id: I3c619af508bacff84023be4d5a7c4992c2f20a56
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647483


Reviewed-by: default avatarDmitri Shuralyov <dmitshur@google.com>
parent a8b372fb
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment