Re: golang-go.crypto / CVE-2019-11841
Utkarsh Gupta <firstname.lastname@example.org> writes:
> On Mon, Oct 5, 2020 at 3:03 AM Brian May <email@example.com> wrote:
>> I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can
>> cause a panic - however I feel this is not really a security issue.
> But still, in case you can include a fix for this in this upload,
> that'd be great!
I wasn't sure it was going to be worth it?
$ patch --dry-run -p1 < ../CVE-2020-9283.patch
checking file ssh/keys.go
Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines).
Hunk #2 FAILED at 584.
Hunk #3 FAILED at 840.
Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines).
Hunk #5 FAILED at 903.
Hunk #6 FAILED at 1056.
Hunk #7 FAILED at 1309.
5 out of 7 hunks FAILED
Looking at this again, it looks like it should be trivial to apply #2,
#5, and #6 manually. Not sure why these didn't apply automatically.
Which just leaves #3 - may not be required - and #7 - which only patches
Brian May <firstname.lastname@example.org>