crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] #71156
Milestone
Comments
This was referenced Jan 7, 2025
gabyhelp
added
the
BugReport
prattmic
added
the
NeedsFix
|
@gopherbot please open backport issues for 1.22, 1.23, and 1.24 |
|
Backport issue(s) opened: #71207 (for 1.22), #71208 (for 1.23), #71209 (for 1.24). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
rolandshoemaker
removed
the
BugReport
|
Change https://go.dev/cl/643096 mentions this issue: |
|
Change https://go.dev/cl/643105 mentions this issue: |
|
Change https://go.dev/cl/643103 mentions this issue: |
|
Change https://go.dev/cl/643099 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jan 16, 2025
… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71208 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643103 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Jan 16, 2025
… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71207 Fixes CVE-2024-45341 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> Change-Id: I1d97723e0f29fcf1404fb868ba0495282da70f6e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1780 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643105 TryBot-Bypass: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]> Auto-Submit: Michael Knyszek <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Jan 16, 2025
… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71209 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1800 Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643099 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
mknyszek
changed the title
wyf9661
pushed a commit
to wyf9661/go
that referenced
this issue
Jan 21, 2025
… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For golang#71156 Fixes golang#71209 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1800 Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643099 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A certificate with a URI which has a IPv6 address with a zone ID may
incorrectly satisfy a URI name constraint that applies to the certificate
chain.
Certificates containing URIs are not permitted in the web PKI, so this
only affects users of private PKIs which make use of URIs.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-45341.
Tracked in http://b/379881511 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1700.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: