[security] x/crypto/openpgp/clearsign accepted potentially misleading messages

[Filippo Valsorda]

Hello gophers,

The golang.org/x/crypto/openpgp/clearsign package used to accept messages with arbitrary headers in the SIGNED MESSAGE section. While that content would not be part of the returned Plaintext, and therefore not verified, a human observer could be led to believe it was part of the signed message.

This was reported by Aida Mynzhasova of SEC Consult Vulnerability Lab.

The issue is fixed in the master branch of the golang.org/x/crypto module, and you can find the patch and additional details at https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442.

Alla prossima,

Filippo for the Go team