CVE-2019-11841

Name of the Vulnerable Software and Affected Versions supplementary Go cryptography libraries (affected versions not specified)

Description A message-forgery issue was discovered in the supplementary Go cryptography libraries. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers, which specify the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, allowing an attacker to spoof it. This enables an attacker to lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Furthermore, the library's skipping of Armor Header parsing allows an attacker to embed arbitrary Armor Headers and prepend arbitrary text to cleartext messages without invalidating the signatures.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.