subject:"Bug#820369\: \[pkg\-golang\-devel\] Bug#820369\: golang\: CVE\-2016\-3959\: infinite loop in several big integer routines"

Bug#820369: [pkg-golang-devel] Bug#820369: golang: CVE-2016-3959: infinite loop in several big integer routines

2016-04-13 Thread Tianon Gravi

found 820369 golang/2:1.3.3-1
thanks

On 8 April 2016 at 09:25, Tianon Gravi  wrote:
> (Go 1.5.4 and Go 1.6.1 will be released on Wednesday April 13 at
> approximately 2am UTC)

I've uploaded 1.6.1 to unstable, but attached is a patch which appears
to apply cleanly against jessie's 1.3.3 (only modified paths for src/
-> src/pkg/ from the patch that was applied via CL upstream).


♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4
From eb876dd83cb8413335d64e50aae5d38337d1ebb4 Mon Sep 17 00:00:00 2001
From: Robert Griesemer 
Date: Tue, 5 Apr 2016 09:44:00 -0700
Subject: [PATCH] crypto/dsa: eliminate invalid PublicKey early

For PublicKey.P == 0, Verify will fail. Don't even try.

Change-Id: I1009f2b3dead8d0041626c946633acb10086d8c8
Reviewed-on: https://go-review.googlesource.com/21533
Reviewed-by: Brad Fitzpatrick 
Run-TryBot: Brad Fitzpatrick 
TryBot-Result: Gobot Gobot 
---
 src/pkg/crypto/dsa/dsa.go | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/pkg/crypto/dsa/dsa.go b/src/pkg/crypto/dsa/dsa.go
index 96768ce..e9b6a0c 100644
--- a/src/pkg/crypto/dsa/dsa.go
+++ b/src/pkg/crypto/dsa/dsa.go
@@ -247,6 +247,10 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
 func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	// FIPS 186-3, section 4.7
 
+	if pub.P.Sign() == 0 {
+		return false
+	}
+
 	if r.Sign() < 1 || r.Cmp(pub.Q) >= 0 {
 		return false
 	}

Bug#820369: [pkg-golang-devel] Bug#820369: golang: CVE-2016-3959: infinite loop in several big integer routines

2016-04-08 Thread Tianon Gravi

On 7 April 2016 at 12:01, Salvatore Bonaccorso  wrote:
> the following vulnerability was published for golang.
>
> CVE-2016-3959[0]:
> infinite loop in several big integer routines

The official "new release" pre-announcement is up now:
https://groups.google.com/d/topic/golang-announce/MmSbFHLPo8g/discussion

(Go 1.5.4 and Go 1.6.1 will be released on Wednesday April 13 at
approximately 2am UTC)

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Bug#820369: [pkg-golang-devel] Bug#820369: golang: CVE-2016-3959: infinite loop in several big integer routines

Bug#820369: [pkg-golang-devel] Bug#820369: golang: CVE-2016-3959: infinite loop in several big integer routines

2 matches

Site Navigation

Mail list logo

Footer information