Package: golang-github-russellhaering-goxmldsig

Package: golang-github-russellhaering-goxmldsig / 1.1.0-1+deb11u1

CVE-2020-7711.patch

commit fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
Merge: 3541f5e ca2b448
Author: Russell Haering <russellhaering@gmail.com>
Date:   Fri Aug 27 20:19:01 2021 -0700

    Merge pull request #71 from aporcupine/patch-1
    
    Explicitly check for case where SignatureValue is nil

Index: golang-github-russellhaering-goxmldsig-1.1.0/validate.go
===================================================================
--- golang-github-russellhaering-goxmldsig-1.1.0.orig/validate.go	2022-03-24 02:38:38.797524728 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/validate.go	2022-03-24 02:38:38.797524728 +0100
@@ -271,6 +271,9 @@
 	if !bytes.Equal(digest, decodedDigestValue) {
 		return nil, errors.New("Signature could not be verified")
 	}
+	if sig.SignatureValue == nil {
+		return nil, errors.New("Signature could not be verified")
+	}
 
 	// Decode the 'SignatureValue' so we can compare against it
 	decodedSignature, err := base64.StdEncoding.DecodeString(sig.SignatureValue.Data)