As announced by Go upstream on 2019-10-17: Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest) CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. Upstream bug: https://github.com/golang/go/issues/34960
Created golang tracking bugs for this issue: Affects: epel-all [bug 1763311] Affects: fedora-all [bug 1763312]
Upstream bug: https://github.com/golang/go/issues/34960 Patch for 1.12 branch: https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 Patch for 1.13 branch: https://github.com/golang/go/commit/4cabf6992e98f74a324e6f814a7cb35e41b05f25
Analysis: This is essentially a crash caused when verifying specially crafted DSA public certificates. As per upstream: "Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected." Similarly checking signatures on specially crafted X.509 certificates, or verifying specially crafted ssh host keys may also cause a crash.
External References: https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0101
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17596
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0329