Bug 2268019 (CVE-2024-24783)

Summary: CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abishop, adudiak, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, aveerama, bdettelb, bniver, bodavis, chazlett, davidn, dbenoit, dfreiber, dhanak, diagrawa, dkenigsb, dperaza, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, emachado, epacific, fdeutsch, flucifre, ganandan, gmeno, gparvin, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jmatthew, jmontleo, jneedle, jobarker, joelsmith, jpallich, jschluet, kaycoth, kingland, kshier, kverlaen, lbainbri, lhh, lmadsen, lsvaty, mabashia, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mkudlej, mmagr, mnewsome, mnovotny, mrajanna, mrunge, mwringe, njean, nobody, odf-bz-bot, omaciel, oramraz, osapryki, owatkins, pahickey, peholase, periklis, pgrist, pierdipi, pjindal, rgarg, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, sabiswas, saroy, sdawley, sfroberg, shbose, sidakwo, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, teagle, tjochec, ubhargav, vereddy, vkareh, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.21.8, go 1.22.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go's crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268246, 2268247, 2268248, 2276443, 2276444, 2276445, 2276446, 2276447, 2276448, 2276449, 2276450, 2276451, 2276452, 2276453, 2276454, 2276455, 2276456, 2276621, 2276457, 2276458    
Bug Blocks: 2268016    

Description Robb Gatica 2024-03-06 01:57:37 UTC 
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

https://github.com/golang/go/issues/65390
Comment 4 Robb Gatica 2024-03-06 19:22:56 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2268247]
Affects: fedora-all [bug 2268246]
Comment 18 errata-xmlrpc 2024-04-29 02:27:00 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088
Comment 19 errata-xmlrpc 2024-04-30 14:39:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562
Comment 22 errata-xmlrpc 2024-05-07 10:38:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2724 https://access.redhat.com/errata/RHSA-2024:2724