Re: golang-go.crypto / CVE-2019-11841

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: golang-go.crypto / CVE-2019-11841
From: Brian May <bam@debian.org>
Date: Thu, 10 Sep 2020 09:33:12 +1000
Message-id: <[🔎] 87k0x2edaf.fsf@canidae.wired.pri>
In-reply-to: <[🔎] CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com>
References: <87k0xes8kr.fsf@canidae.wired.pri> <[🔎] 87pn75t6vb.fsf@canidae.wired.pri> <[🔎] 87eenju6qa.fsf@canidae.wired.pri> <[🔎] 877dtatsa2.fsf@canidae.wired.pri> <[🔎] 87r1refqqe.fsf@canidae.wired.pri> <[🔎] CABY6=0nu1DP42xdGA-1whSZVY08fd0JSrarJijHAzAFMycfD7Q@mail.gmail.com> <[🔎] 874ko9p70k.fsf@canidae.wired.pri> <[🔎] CABY6=0nbk71vcgXX3yHeKmm1kYZi=+PduFCbiyNCDx8WXDwEQA@mail.gmail.com> <[🔎] 871rjbq50z.fsf@canidae.wired.pri> <[🔎] CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> Do we have an idea on how a good patch would look like?

OK, I think a patch may not be as simple as I hoped.

CheckDetachedSignature() is where we decode the packet and determine the
hash function used.

But this function is not supplied the headers so it cannot check the
headers. And this function doesn't return the hashFunc used either, so
the calling function cannot check the headers.

Plus the hashFunc is an integer it needs to be decoded into a string -
there is a private function - nameOfHash - that does this.

So some sort of API change is required I think.

I am a bit disappointed actually that the CheckDetachedSignature()
doesn't return the hash used. It means that the calling application only
has access to the insecure value that cannot be trusted.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: golang-go.crypto / CVE-2019-11841
Next by Date: Re: Backports needed for Firefox/Thunderbird ESR 78 in Buster/Stretch
Previous by thread: Re: golang-go.crypto / CVE-2019-11841
Next by thread: Re: golang-go.crypto / CVE-2019-11841
Index(es):
- Date
- Thread