Date: Wed, 02 Nov 2016 16:58:53 -0700 From: Cedric Staub <css@....bio> To: oss-security@...ts.openwall.com Subject: CVE request: multiple issues in go-jose package Hello, I'd like to request CVE numbers for three issues in go-jose (https://github.com/square/go-jose): 1. Invalid curve attack for ECDH-ES algorithm When deriving a shared key using ECDH-ES for an encrypted message, go- jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack. Upstream patch: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507 2. Exploiting multiple signatures The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated. Upstream patch: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6 3. CBC-HMAC integer overflow on 32-bit architectures An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures. Upstream patch: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96 All of the above issues were reported by Quan Nguyen from Google's Information Security Engineering Team. Thanks, Cedric
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ