Re: golang-go.crypto / CVE-2019-11841

Hi again

Also I think we need to consider the backwards compatibility of this. I guess there are quite a lot of emails with text before and after the signed text. If they will no longer be accepted this essentially means that the purpose of this function is pointless giving a less secure system than before. Less secure because most messages will not be verified and legitimate messages will be considered insecure, even if they are not. The user of the system cannot tell the difference.

// Ola

On Mon, 7 Sep 2020 at 09:56, Ola Lundqvist <ola@inguza.com> wrote:

Hi

To completely fix the second part of this CVE I think an API change is necessary.
The API need to return a list of unsigned and signed portions of the message so the application using it can make it visible what parts are signed and what parts are not.
However such a change is large and cannot be done in LTS.

Regarding the security purpose of the hash information I cannot really judge. I think it serves very little function but I could be wrong.

Cheers

// Ola

On Mon, 7 Sep 2020 at 01:08, Brian May <bam@debian.org> wrote:
Attached is my patch for Stretch, based on the upstream patch.

I am a bit uneasy about applying this and marking CVE-2019-11841 as
fixed, because contrary to what upstream say I don't think
CVE-2019-11841 is actually fixed. From the CVE description:

[...] However, the Go clearsign package ignores the value of this
header, which allows an attacker to spoof it. Consequently, an
attacker can lead a victim to believe the signature was generated
using a different message digest algorithm than what was actually
used. [...]

The upstream patch has done nothing to address this.
--
Brian May <bam@debian.org>

--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------