Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2024-24783 [1.22 backport] #65831

Closed
neild opened this issue Feb 21, 2024 · 2 comments
Closed

security: fix CVE-2024-24783 [1.22 backport] #65831

neild opened this issue Feb 21, 2024 · 2 comments
Assignees
@neild
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.22.1

Comments

@neild
Copy link
Contributor

neild commented Feb 21, 2024

Security fix backport for #65390.
@neild neild added Security CherryPickApproved Used during the release process for point releases labels Feb 21, 2024
@neild neild added this to the Go1.22.1 milestone Feb 21, 2024
@neild neild self-assigned this Feb 21, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/569235 mentions this issue: [release-branch.go1.22] crypto/x509: make sure pub key is non-nil before interface conversion

gopherbot pushed a commit that referenced this issue Mar 5, 2024
@rolandshoemaker @gopherbot
[release-branch.go1.22] crypto/x509: make sure pub key is non-nil bef…
337b8e9 
…ore interface conversion

alreadyInChain assumes all keys fit a interface which contains the
Equal method (which they do), but this ignores that certificates may
have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
this case alreadyInChain panics.

Check that the key is non-nil as part of considerCandidate (we are never
going to build a chain containing UnknownPublicKeyAlgorithm anyway).

For #65390
Fixes #65831
Fixes CVE-2024-24783

Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174343
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569235
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@gopherbot
Copy link
Contributor

Closed by merging 337b8e9 to release-branch.go1.22.

bradfitz pushed a commit to tailscale/go that referenced this issue Mar 5, 2024
@rolandshoemaker @bradfitz
[release-branch.go1.22] crypto/x509: make sure pub key is non-nil bef…
4da1f86 
…ore interface conversion

alreadyInChain assumes all keys fit a interface which contains the
Equal method (which they do), but this ignores that certificates may
have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
this case alreadyInChain panics.

Check that the key is non-nil as part of considerCandidate (we are never
going to build a chain containing UnknownPublicKeyAlgorithm anyway).

For golang#65390
Fixes golang#65831
Fixes CVE-2024-24783

Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174343
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569235
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Mar 6, 2024
@rolandshoemaker @romaindoumenc
[release-branch.go1.22] crypto/x509: make sure pub key is non-nil bef…
b66cd86 
…ore interface conversion

alreadyInChain assumes all keys fit a interface which contains the
Equal method (which they do), but this ignores that certificates may
have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
this case alreadyInChain panics.

Check that the key is non-nil as part of considerCandidate (we are never
going to build a chain containing UnknownPublicKeyAlgorithm anyway).

For golang#65390
Fixes golang#65831
Fixes CVE-2024-24783

Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174343
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569235
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
sunjayBhatia added a commit to sunjayBhatia/contour that referenced this issue Mar 11, 2024
@sunjayBhatia
Bump golang to 1.22.1 for CVEs
29e9107 
See release notes: https://go.dev/doc/devel/release#go1.22.0

golang/go#65831 is the most relevant CVE backport for Contour

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
@sunjayBhatia sunjayBhatia mentioned this issue Mar 11, 2024
Merged
sunjayBhatia added a commit to projectcontour/contour that referenced this issue Mar 11, 2024
@sunjayBhatia
Bump golang to 1.22.1 for CVEs (#6265)
035fa05 
See release notes: https://go.dev/doc/devel/release#go1.22.0

golang/go#65831 is the most relevant CVE backport for Contour

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
lubronzhan pushed a commit to lubronzhan/contour that referenced this issue Mar 13, 2024
@sunjayBhatia @lubronzhan
Bump golang to 1.22.1 for CVEs (projectcontour#6265)
a7dee89 
See release notes: https://go.dev/doc/devel/release#go1.22.0

golang/go#65831 is the most relevant CVE backport for Contour

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.22.1
Development

No branches or pull requests
2 participants
@neild @gopherbot