x/crypto/openpgp/clearsign: incomplete fix in CL 173778 #41200
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Summary: CVE-2019-11841 was fixed by https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 but this fix is incomplete, and appears to fix only one of the test cases.
https://security-tracker.debian.org/tracker/CVE-2019-11841
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I ran the script supplied from https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html after fixing an error in the PGP key - see https://salsa.debian.org/bam/cve-2019-11841/-/blob/master/sig_spoof.go
What did you expect to see?
The first test should succeed, the second and third tests should fail.
What did you see instead?
The first test succeed, the second test succeeded, and only the third test failed. The 2nd test should not succeed because the hash header was tampered with.
The text was updated successfully, but these errors were encountered: