Skip to content

crypto/x509: Certificate.Verify crash on macOS with Go 1.18 (CVE-2022-27536) [1.18 backport] #51763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Mar 17, 2022 · 6 comments
Closed

crypto/x509: Certificate.Verify crash on macOS with Go 1.18 (CVE-2022-27536) [1.18 backport] #51763

gopherbot opened this issue Mar 17, 2022 · 6 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.18.1

Comments

@gopherbot
Copy link
Contributor

@bradfitz requested issue #51759 to be considered for backport to the next 1.18 minor release.

@gopherbot please consider this for backport to 1.18, it's a regression
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 17, 2022
@gopherbot gopherbot mentioned this issue Mar 17, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.1 milestone Mar 17, 2022
@bradfitz
Copy link
Contributor

cc @rolandshoemaker @josharian

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/394655 mentions this issue: [release-branch.go1.18] crypto/x509: fix Certificate.Verify crash

@toothrot
Copy link
Contributor

@rolandshoemaker @bradfitz @heschi Is this bug also present in 1.17, or is this breakage new in 1.18?

@heschi
Copy link
Contributor

heschi commented Mar 23, 2022

Looks to me like this code is new in https://go.dev/cl/353132 so I buy it's new, FWIW.

@rolandshoemaker
Copy link
Member

It's just in 1.18.

@heschi heschi added the CherryPickApproved Used during the release process for point releases label Mar 30, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Mar 30, 2022
gopherbot pushed a commit that referenced this issue Apr 4, 2022
@bradfitz @josharian @cherrymui
[release-branch.go1.18] crypto/x509: fix Certificate.Verify crash

Verified

This commit was signed with the committer’s verified signature. The key has expired.
jirfag Denis Isaev
GPG key ID: A36A0EC8E27A1A01
Expired
Verified
Learn about vigilant mode
30d9077 
(Primarily from Josh)

Updates #51759
Fixes #51763
Fixes CVE-2022-27536

Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com>
Change-Id: I0a6f2623b57750abd13d5e194b5c6ffa3be6bf72
Reviewed-on: https://go-review.googlesource.com/c/go/+/393655
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 0fca8a8)
Reviewed-on: https://go-review.googlesource.com/c/go/+/394655
Trust: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@gopherbot
Copy link
Contributor Author

Closed by merging 30d9077 to release-branch.go1.18.

@dmitshur dmitshur changed the title crypto/x509: Certificate.Verify crash on macOS with Go 1.18 [1.18 backport] crypto/x509: Certificate.Verify crash on macOS with Go 1.18 (CVE-2022-27536) [1.18 backport] Apr 19, 2022
@golang golang locked and limited conversation to collaborators Apr 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.18.1
Development

No branches or pull requests
6 participants
@bradfitz @toothrot @FiloSottile @rolandshoemaker @gopherbot @heschi