Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2024-24783 [1.21 backport] #65392

Closed
gopherbot opened this issue Jan 30, 2024 · 2 comments
Closed

security: fix CVE-2024-24783 [1.21 backport] #65392

gopherbot opened this issue Jan 30, 2024 · 2 comments
Assignees
@neild
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.21.8

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #65390 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 30, 2024
@gopherbot gopherbot mentioned this issue Jan 30, 2024
Closed
@gopherbot gopherbot added this to the Go1.21.7 milestone Jan 30, 2024
@neild neild added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 30, 2024
@gopherbot gopherbot modified the milestones: Go1.21.7, Go1.21.8 Feb 6, 2024
@neild neild modified the milestone: Go1.21.8 Feb 21, 2024
@neild neild self-assigned this Feb 21, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/569238 mentions this issue: [release-branch.go1.21] crypto/x509: make sure pub key is non-nil before interface conversion

gopherbot pushed a commit that referenced this issue Mar 5, 2024
@rolandshoemaker @gopherbot
[release-branch.go1.21] crypto/x509: make sure pub key is non-nil bef…
be5b52b 
…ore interface conversion

alreadyInChain assumes all keys fit a interface which contains the
Equal method (which they do), but this ignores that certificates may
have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
this case alreadyInChain panics.

Check that the key is non-nil as part of considerCandidate (we are never
going to build a chain containing UnknownPublicKeyAlgorithm anyway).

For #65390
Fixes #65392
Fixes CVE-2024-24783

Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569238
Auto-Submit: Michael Knyszek <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging be5b52b to release-branch.go1.21.

@StephenButtolph StephenButtolph mentioned this issue Mar 5, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.21.8
Development

No branches or pull requests
2 participants
@neild @gopherbot