Re: golang-go.crypto / CVE-2019-11841

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: golang-go.crypto / CVE-2019-11841
From: Brian May <bam@debian.org>
Date: Sun, 13 Sep 2020 17:37:28 +1000
Message-id: <[🔎] 871rj6m8jr.fsf@canidae.wired.pri>
In-reply-to: <[🔎] CABY6=0=xDdOo1RH9iJiG=xS0T=GaQ48k+w-RSoLPSbTDcZxCUA@mail.gmail.com>
References: <87k0xes8kr.fsf@canidae.wired.pri> <[🔎] 87pn75t6vb.fsf@canidae.wired.pri> <[🔎] 87eenju6qa.fsf@canidae.wired.pri> <[🔎] 877dtatsa2.fsf@canidae.wired.pri> <[🔎] 87r1refqqe.fsf@canidae.wired.pri> <[🔎] CABY6=0nu1DP42xdGA-1whSZVY08fd0JSrarJijHAzAFMycfD7Q@mail.gmail.com> <[🔎] 874ko9p70k.fsf@canidae.wired.pri> <[🔎] CABY6=0nbk71vcgXX3yHeKmm1kYZi=+PduFCbiyNCDx8WXDwEQA@mail.gmail.com> <[🔎] 871rjbq50z.fsf@canidae.wired.pri> <[🔎] CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com> <[🔎] 87k0x2edaf.fsf@canidae.wired.pri> <[🔎] CABY6=0=xDdOo1RH9iJiG=xS0T=GaQ48k+w-RSoLPSbTDcZxCUA@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> Looking at the code and your email I have some concerns.
>
> Isn't the header part of the "signed" argument? If it is not, then there is
> no point of checking it since you can then just change the header anyway.
> If it is part of the signed message it is possible for the function to
> decode it and check it.
>
> Do the calling application need to do the check, can't
> CheckDetachedSignature do it?
>
> Or have I missed something?

CheckDetachedSignature is called like:

openpgp.CheckDetachedSignature(keyring, bytes.NewBuffer(b.Bytes), b.ArmoredSignature.Body)

b.Headers has the header we need to check, but we only pass the body
b.Bytes and the signature b.ArmoredSignature.Body. As in the headers
aren't covered by the signature (I assume there is a good reason...).

Does this make sense now?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: golang-go.crypto / CVE-2019-11841
Next by Date: Call for help on testing ceph
Previous by thread: Re: golang-go.crypto / CVE-2019-11841
Next by thread: Re: golang-go.crypto / CVE-2019-11841
Index(es):
- Date
- Thread