CVE-2020-7711- Pure Go repositories (goxmidsig) vulnerability – 23-08-2020

Preface: SAML 2.0 implementation for Service Providers based on etree and goxmldsig, a pure Go implementation of XML digital signatures.

Background: “nil” in Go that represents zero values for pointers, interfaces, channels, maps, slices and function types.

Vulnerability Details: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Reference: When “Go” initializes the pointer, it assigns the value of pointer i to nil, but the value of i represents the address of *i. If nil, the system has not assigned an address to *i. So at this time, * i assignment will have problem occur.

Remedy: Official announcement not announce yet. See whether it can apply the similar syntax to do a short term remediation of this design weakness? The gosmal2 package has encountered the similar technical matter (nil point dereference) on Aug 14, 2019 . For more details, please refer to diagram.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.