GO-2023-1570

Source
https://pkg.go.dev/vuln/GO-2023-1570
Import Source
https://vuln.go.dev/ID/GO-2023-1570.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1570
Aliases
Related
Published
2023-02-16T22:24:51Z
Modified
2024-05-20T16:03:47Z
Summary
Panic on large handshake records in crypto/tls
Details

Large handshake records may cause panics in crypto/tls.

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1570"
}
References
Credits
    • Marten Seemann

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.6
Introduced
1.20.0-0
Fixed
1.20.1

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/tls",
            "symbols": [
                "Conn.Handshake",
                "Conn.HandshakeContext",
                "Conn.Read",
                "Conn.Write",
                "Conn.clientHandshake",
                "Conn.handleKeyUpdate",
                "Conn.handlePostHandshakeMessage",
                "Conn.handleRenegotiation",
                "Conn.loadSession",
                "Conn.readClientHello",
                "Conn.readHandshake",
                "Conn.writeRecord",
                "ConnectionState.ExportKeyingMaterial",
                "Dial",
                "DialWithDialer",
                "Dialer.Dial",
                "Dialer.DialContext",
                "certificateMsg.marshal",
                "certificateMsgTLS13.marshal",
                "certificateRequestMsg.marshal",
                "certificateRequestMsgTLS13.marshal",
                "certificateStatusMsg.marshal",
                "certificateVerifyMsg.marshal",
                "cipherSuiteTLS13.expandLabel",
                "clientHandshakeState.doFullHandshake",
                "clientHandshakeState.handshake",
                "clientHandshakeState.readFinished",
                "clientHandshakeState.readSessionTicket",
                "clientHandshakeState.sendFinished",
                "clientHandshakeStateTLS13.handshake",
                "clientHandshakeStateTLS13.processHelloRetryRequest",
                "clientHandshakeStateTLS13.readServerCertificate",
                "clientHandshakeStateTLS13.readServerFinished",
                "clientHandshakeStateTLS13.readServerParameters",
                "clientHandshakeStateTLS13.sendClientCertificate",
                "clientHandshakeStateTLS13.sendClientFinished",
                "clientHandshakeStateTLS13.sendDummyChangeCipherSpec",
                "clientHelloMsg.marshal",
                "clientHelloMsg.marshalWithoutBinders",
                "clientHelloMsg.updateBinders",
                "clientKeyExchangeMsg.marshal",
                "encryptedExtensionsMsg.marshal",
                "endOfEarlyDataMsg.marshal",
                "finishedMsg.marshal",
                "handshakeMessage.marshal",
                "helloRequestMsg.marshal",
                "keyUpdateMsg.marshal",
                "newSessionTicketMsg.marshal",
                "newSessionTicketMsgTLS13.marshal",
                "serverHandshakeState.doFullHandshake",
                "serverHandshakeState.doResumeHandshake",
                "serverHandshakeState.readFinished",
                "serverHandshakeState.sendFinished",
                "serverHandshakeState.sendSessionTicket",
                "serverHandshakeStateTLS13.checkForResumption",
                "serverHandshakeStateTLS13.doHelloRetryRequest",
                "serverHandshakeStateTLS13.readClientCertificate",
                "serverHandshakeStateTLS13.readClientFinished",
                "serverHandshakeStateTLS13.sendDummyChangeCipherSpec",
                "serverHandshakeStateTLS13.sendServerCertificate",
                "serverHandshakeStateTLS13.sendServerFinished",
                "serverHandshakeStateTLS13.sendServerParameters",
                "serverHandshakeStateTLS13.sendSessionTickets",
                "serverHelloDoneMsg.marshal",
                "serverHelloMsg.marshal",
                "serverKeyExchangeMsg.marshal",
                "sessionState.marshal",
                "sessionStateTLS13.marshal"
            ]
        }
    ]
}