Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-3h3x-2hwv-hr52: remove v2 version from affected versions list #4950

Merged
merged 3 commits into from
Oct 28, 2024
Merged

GHSA-3h3x-2hwv-hr52: remove v2 version from affected versions list #4950

merged 3 commits into from
Oct 28, 2024

Conversation

qmuntal
Copy link
Contributor

@qmuntal qmuntal commented Oct 28, 2024

I'm an owner of the github.com/golang-fips/openssl repo and also main contributor: https://github.com/golang-fips/openssl/graphs/contributors.

GHSA-3h3x-2hwv-hr52 has been unintentionally assigned to the v2 major version, when only v1 is affected.

This PR removed the v2 version from the affected versions list.

@github-actions github-actions bot changed the base branch from main to qmuntal/advisory-improvement-4950 October 28, 2024 15:22
@darakian
Copy link
Contributor

Hey @qmuntal 👋

Out of curiosity do you know where this issue was addressed in the code? I've looked around a little and basedthis comment from the redhat bug
https://bugzilla.redhat.com/show_bug.cgi?id=2315719

intermittently return a zeroed buffer from (*boringHMAC).Sum() in FIPS mode

I was looking for a change to boringHMAC, however searching for that string doesn't return anything. If you don't have a code change I can inspect are there any release notes from the project mentioning the fix?

@qmuntal
Copy link
Contributor Author

qmuntal commented Oct 28, 2024

Hey @qmuntal 👋

Out of curiosity do you know where this issue was addressed in the code? I've looked around a little and basedthis comment from the redhat bug https://bugzilla.redhat.com/show_bug.cgi?id=2315719

intermittently return a zeroed buffer from (*boringHMAC).Sum() in FIPS mode

I was looking for a change to boringHMAC, however searching for that string doesn't return anything. If you don't have a code change I can inspect are there any release notes from the project mentioning the fix?

The issue was fixed in this PR: golang-fips/openssl#198. The master branch is not tagged nor versioned, so there is no "fixed version" unfortunately.

@qmuntal qmuntal changed the base branch from qmuntal/advisory-improvement-4950 to main October 28, 2024 16:28
@darakian
Copy link
Contributor

Mmmm that's unfortunate. I take it that the relevant code for the change is simply not in the v2 branch? I guess v2 is a rewrite/re-arch/whatever? I'm not overly familiar with golang, but it looks like the func (h *boringHMAC) functions don't exist in the hmac.go file on the v2branch.

@qmuntal
Copy link
Contributor Author

qmuntal commented Oct 28, 2024

Yep, v2 is a complete rewrite. The vulnerability is in a C function that no longer exists.

@darakian
Copy link
Contributor

darakian commented Oct 28, 2024
edited
Loading

Gotcha. Thanks for taking the time to walk me through the context. Let me get this going for you :)

@advisory-database advisory-database bot merged commit 5e2eadb into github:main Oct 28, 2024
0 of 2 checks passed
@advisory-database
Copy link
Contributor

Hi @qmuntal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@qmuntal qmuntal mentioned this pull request Oct 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qmuntal @darakian