An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2020-0012" }
{ "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "CertChecker.Authenticate", "CertChecker.CheckCert", "CertChecker.CheckHostKey", "Certificate.Verify", "Dial", "NewClientConn", "NewPublicKey", "NewServerConn", "NewSignerFromKey", "NewSignerFromSigner", "ParseAuthorizedKey", "ParseKnownHosts", "ParsePrivateKey", "ParsePrivateKeyWithPassphrase", "ParsePublicKey", "ParseRawPrivateKey", "ParseRawPrivateKeyWithPassphrase", "ed25519PublicKey.Verify", "parseED25519", "parseSKEd25519", "skEd25519PublicKey.Verify" ] } ] }