go: Integer overflow on 32bit architectures via crafted certificate allows for denial of service (CVE-2020-7919)

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.

The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.

Fixed In Version:

go 1.14, go 1.13.7, This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

References:

https://github.com/golang/go/issues/36837 https://github.com/golang/go/issues/36838

Patches:

https://github.com/golang/go/commit/f938e06d0623d0e1de202575d16f1e126741f6e0 (1.13.7) https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574 (1.14)

Affected branches:

master (c325c4cf)
3.11-stable (573b7537)

Edited Apr 30, 2020 by Kevin Daudt

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information