Bug 1763310 (CVE-2019-17596)
Summary: | CVE-2019-17596 golang: invalid public key causes panic in dsa.Verify | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | kat <kbost> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | admiller, amctagga, amurdaca, anharris, aos-bugs, asm, bmontgom, bniver, bodavis, deparker, emachado, eparis, flucifre, gmeno, hchiramm, huzaifas, hvyas, jburrell, jcajka, jmulligan, jokerman, jpadman, law, lemenkov, madam, maszulik, mbenjamin, mfojtik, mhackett, mkaplan, mnewsome, nstielau, puebele, renich, rhs-bugs, rphillips, sisharma, sponnaga, storage-qa-internal, tstellar, vbatts, vbellur, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.13.2, go 1.12.11 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-14 14:09:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1883645, 1763311, 1763312, 1763977, 1763978, 1773500, 1773501, 1785346, 1785389, 1785664, 1793812 | ||
Bug Blocks: | 1763314 |
Description
kat
2019-10-18 18:13:50 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1763311] Affects: fedora-all [bug 1763312] Upstream bug: https://github.com/golang/go/issues/34960 Patch for 1.12 branch: https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 Patch for 1.13 branch: https://github.com/golang/go/commit/4cabf6992e98f74a324e6f814a7cb35e41b05f25 Analysis: This is essentially a crash caused when verifying specially crafted DSA public certificates. As per upstream: "Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected." Similarly checking signatures on specially crafted X.509 certificates, or verifying specially crafted ssh host keys may also cause a crash. External References: https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0101 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17596 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0329 |