[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

Utkarsh Gupta <utkarsh@debian.org> writes:

> On Mon, Oct 5, 2020 at 3:03 AM Brian May <bam@debian.org> wrote:
>> I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can
>> cause a panic - however I feel this is not really a security issue.
>
> But still, in case you can include a fix for this in this upload,
> that'd be great!

I wasn't sure it was going to be worth it?

$ patch --dry-run -p1  < ../CVE-2020-9283.patch
checking file ssh/keys.go
Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines).
Hunk #2 FAILED at 584.
Hunk #3 FAILED at 840.
Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines).
Hunk #5 FAILED at 903.
Hunk #6 FAILED at 1056.
Hunk #7 FAILED at 1309.
5 out of 7 hunks FAILED

Looking at this again, it looks like it should be trivial to apply #2,
#5, and #6 manually. Not sure why these didn't apply automatically.
Which just leaves #3 - may not be required - and #7 - which only patches
a comment.
-- 
Brian May <bam@debian.org>
Reply to: