Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.23 backport] #71208

Closed
gopherbot opened this issue Jan 9, 2025 · 2 comments
Closed

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.23 backport] #71208

gopherbot opened this issue Jan 9, 2025 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.23.5

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #71156 to be considered for backport to the next 1.23 minor release.

@gopherbot please open backport issues for 1.22, 1.23, and 1.24
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 9, 2025
@gopherbot gopherbot mentioned this issue Jan 9, 2025
Closed
@gopherbot gopherbot added this to the Go1.23.5 milestone Jan 9, 2025
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/643103 mentions this issue: [release-branch.go1.23] crypto/x509: properly check for IPv6 hosts in URIs

gopherbot pushed a commit that referenced this issue Jan 16, 2025
@rolandshoemaker @gopherbot
[release-branch.go1.23] crypto/x509: properly check for IPv6 hosts in…
fdb8413 
… URIs

When checking URI constraints, use netip.ParseAddr, which understands
zones, unlike net.ParseIP which chokes on them. This prevents zone IDs
from mistakenly satisfying URI constraints.

Thanks to Juho Forsén of Mattermost for reporting this issue.

For #71156
Fixes #71208
Fixes CVE-2024-45341

Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
(cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643103
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 643103 (commit fdb8413) to release-branch.go1.23.

@mknyszek mknyszek changed the title security: fix CVE-2024-45341 [1.23 backport] crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.23 backport] Jan 16, 2025
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 16, 2025
@HDYA HDYA mentioned this issue Jan 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.23.5
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot