Google Git
Sign in
fuchsia / third_party / golang / crypto / e79546e28b85ea53dd37afe1c4102746ef553b9c
commite79546e28b85ea53dd37afe1c4102746ef553b9c[log] [tgz]
authorNeal Patel <nealpatel@google.com>Wed Nov 19 13:35:12 2025 -0500
committerGopher Robot <gobot@golang.org>Wed Nov 19 11:28:37 2025 -0800
tree1fea6dd50a03f22132077b4a32efd929fbc697b0
parentf91f7a7c31bf90b39c1de895ad116a2bacc88748 [diff]
ssh: curb GSSAPI DoS risk by limiting number of specified OIDs

Previously, an attacker could specify an integer up to 0xFFFFFFFF
that would directly allocate memory despite the observability of
the rest of the payload. This change places a hard cap on the
amount of mechanisms that can be specified and encoded in the
payload. Additionally, it performs a small sanity check to deny
payloads whose stated size is contradictory to the observed payload.

Thank you to Jakub Ciolek for reporting this issue.

Fixes CVE-2025-58181
Fixes golang/go#76363

Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2 files changed
tree: 1fea6dd50a03f22132077b4a32efd929fbc697b0
  1. acme/
  2. argon2/
  3. bcrypt/
  4. blake2b/
  5. blake2s/
  6. blowfish/
  7. bn256/
  8. cast5/
  9. chacha20/
  10. chacha20poly1305/
  11. cryptobyte/
  12. curve25519/
  13. ed25519/
  14. hkdf/
  15. internal/
  16. md4/
  17. nacl/
  18. ocsp/
  19. openpgp/
  20. otr/
  21. pbkdf2/
  22. pkcs12/
  23. poly1305/
  24. ripemd160/
  25. salsa20/
  26. scrypt/
  27. sha3/
  28. ssh/
  29. tea/
  30. twofish/
  31. x509roots/
  32. xtea/
  33. xts/
  34. .gitattributes
  35. .gitignore
  36. codereview.cfg
  37. CONTRIBUTING.md
  38. go.mod
  39. go.sum
  40. LICENSE
  41. PATENTS
  42. README.md
README.md

Go Cryptography

Go Reference

This repository holds supplementary Go cryptography packages.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/crypto.

The main issue tracker for the crypto repository is located at https://go.dev/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.