gostls13.git log

commit 7d2473dc81c659fba3f3b83bc6e93ca5fe37a898 [browse]
Author: Dmitri Shuralyov
Date: 2020-01-27 16:36:12 -05:00

[release-branch.go1.13-security] go1.13.7

Change-Id: I4e9b0a8eee1ea6a0854eab88a2daf77b21da549a
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/649300
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit f938e06d0623d0e1de202575d16f1e126741f6e0 [browse]
Author: Filippo Valsorda
Date: 2020-01-24 18:04:20 -05:00

[release-branch.go1.13-security] src/go.mod: import x/crypto/cryptobyte security fix for 32-bit archs

    cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs

    When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
    overflow could occur, causing a panic, due to malformed ASN.1 being
    passed to any of the ASN1 methods of String.

    Tested on linux/386 and darwin/amd64.

    This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
    test vectors.

    Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
    Reviewed-by: Katie Hockman <katiehockman@google.com>
    Reviewed-by: Adam Langley <agl@google.com>

x/crypto/cryptobyte is used in crypto/x509 for parsing certificates.
Malformed certificates might cause a panic during parsing on 32-bit
architectures (like arm and 386).

Change-Id: I840feb54eba880dbb96780ef7adcade073c4c4e3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647741
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 0cfa6f6086a0361f98bef4100ccc2e68bec02ccb [browse]
Author: Filippo Valsorda
Date: 2020-01-21 14:45:15 -05:00

[release-branch.go1.13-security] crypto/x509: mitigate CVE-2020-0601 verification bypass on Windows

An attacker can trick the Windows system verifier to use a poisoned set
of elliptic curve parameters for a trusted root, allowing it to generate
spoofed signatures. When this happens, the returned chain will present
the unmodified original root, so the actual signatures won't verify (as
they are invalid for the correct parameters). Simply double check them
as a safety measure and mitigation.

Windows users should still install the system security patch ASAP.

This is the same mitigation adopted by Chromium:

https://chromium-review.googlesource.com/c/chromium/src/+/1994434

Change-Id: I2c734f6fb2cb51d906c7fd77034318ffeeb3e146
Reviewed-on: https://go-review.googlesource.com/c/go/+/215905
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ryan Sleevi <sleevi@google.com>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647123
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit 14b79df428fdab83ebc813a72ab714d1e2c488d2 [browse]
Author: Carlos Amedee
Date: 2020-01-09 11:21:04 -05:00

[release-branch.go1.13] go1.13.6

Change-Id: I8c0396849725345a12d4ca754f926714561fcc6e
Reviewed-on: https://go-review.googlesource.com/c/go/+/214080
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>

commit acc723af2646200d13f76ffde80b000c4095074a [browse]
Author: Cherry Zhang
Date: 2019-12-27 12:02:00 -05:00

[release-branch.go1.13] runtime: ensure memmove write pointer atomically on ARM64

If a pointer write is not atomic, if the GC is running
concurrently, it may observe a partially updated pointer, which
may point to unallocated or already dead memory. Most pointer
writes, like the store instructions generated by the compiler,
are already atomic. But we still need to be careful in places
like memmove. In memmove, we don't know which bits are pointers
(or too expensive to query), so we ensure that all aligned
pointer-sized units are written atomically.

Fixes #36361.
Updates #36101.

Change-Id: I1b3ca24c6b1ac8a8aaf9ee470115e9a89ec1b00b
Reviewed-on: https://go-review.googlesource.com/c/go/+/212626
Reviewed-by: Austin Clements <austin@google.com>
(cherry picked from commit ffbc02761abb47106ce88e09290a31513b5f6c8a)
Reviewed-on: https://go-review.googlesource.com/c/go/+/213683
Run-TryBot: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>

clone the repository to get more history