Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.22 backport] #71207

Closed
gopherbot opened this issue Jan 9, 2025 · 2 comments
Closed

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.22 backport] #71207

gopherbot opened this issue Jan 9, 2025 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.22.11

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #71156 to be considered for backport to the next 1.22 minor release.

@gopherbot please open backport issues for 1.22, 1.23, and 1.24
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 9, 2025
@gopherbot gopherbot mentioned this issue Jan 9, 2025
Closed
@gopherbot gopherbot added this to the Go1.22.11 milestone Jan 9, 2025
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/643105 mentions this issue: [release-branch.go1.22] crypto/x509: properly check for IPv6 hosts in URIs

gopherbot pushed a commit that referenced this issue Jan 16, 2025
@rolandshoemaker @gopherbot
[release-branch.go1.22] crypto/x509: properly check for IPv6 hosts in…
19d2103 
… URIs

When checking URI constraints, use netip.ParseAddr, which understands
zones, unlike net.ParseIP which chokes on them. This prevents zone IDs
from mistakenly satisfying URI constraints.

Thanks to Juho Forsén of Mattermost for reporting this issue.

For #71156
Fixes #71207
Fixes CVE-2024-45341

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Change-Id: I1d97723e0f29fcf1404fb868ba0495282da70f6e
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1780
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643105
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 643105 (commit 19d2103) to release-branch.go1.22.

@mknyszek mknyszek changed the title security: fix CVE-2024-45341 [1.22 backport] crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.22 backport] Jan 16, 2025
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.22.11
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot