golang-go.crypto / CVE-2019-11841

To: debian-lts@lists.debian.org
Subject: golang-go.crypto / CVE-2019-11841
From: Brian May <brian@linuxpenguins.xyz>
Date: Tue, 01 Sep 2020 09:24:04 +1000
Message-id: <[🔎] 87k0xes8kr.fsf@canidae.wired.pri>

My attempts to run the reproducer program have not been successful, as
*none* of the signatures validate. Not even the known good case.

$ GOPATH=/usr/share/gocode/ go run sig_spoof.go
Verifying not tampered...
openpgp: invalid argument: no armored data found
Verifying spoofed hash...
openpgp: invalid argument: no armored data found
Verifying spoofed cleartext...
No clearsign text found

I tried this on Debian stretch, buster, bullseye, and using the version
of package downloaded using "go get
golang.org/x/crypto/openpgp/clearsign" on bullseye (this doesn't work on
stretch or buster due to certificate errors).

I was wondering if there was an error in my copy of sig_spoof. I
downloaded the source using:

https://dl.packetstormsecurity.net/1905-exploits/SA-20190513-0.txt

And deleted everything before and after the code, so I think it should
be OK.

Any ideas?
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Prev by Date: Re: Backports needed for Firefox/Thunderbird ESR 78 in Buster/Stretch
Previous by thread: (E)LTS report for August
Index(es):
- Date
- Thread