crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.24 backport] #71209

gopherbot · 2025-01-09T23:28:55Z

@neild requested issue #71156 to be considered for backport to the next 1.24 minor release.

@gopherbot please open backport issues for 1.22, 1.23, and 1.24

gopherbot · 2025-01-16T18:26:56Z

Change https://go.dev/cl/643099 mentions this issue: crypto/x509: properly check for IPv6 hosts in URIs

… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71209 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1800 Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643099 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>

… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For golang#71156 Fixes golang#71209 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1800 Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643099 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>

gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 9, 2025

gopherbot mentioned this issue Jan 9, 2025

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] #71156

Closed

mknyszek changed the title ~~security: fix CVE-2024-45341 [1.24 backport]~~ crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.24 backport] Jan 16, 2025

dmitshur closed this as completed Jan 16, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.24 backport] #71209

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.24 backport] #71209

gopherbot commented Jan 9, 2025

gopherbot commented Jan 16, 2025

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.24 backport] #71209

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.24 backport] #71209

Comments

gopherbot commented Jan 9, 2025

gopherbot commented Jan 16, 2025