fix: Go JOSE vulnerable to Improper Handling of Highly Compressed Dat…

…a (Data Amplification) (#1090) Co-authored-by: alexlokshin-czi <[email protected]>
chanzuckerberg · Jan 2, 2025 · 1b28605 · 1b28605
1 parent 999f7a2
commit 1b28605
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/oidc_cli/go.mod b/oidc_cli/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/zalando/go-keyring v0.2.4
 	golang.org/x/crypto v0.31.0
 	golang.org/x/oauth2 v0.18.0
-	gopkg.in/square/go-jose.v2 v2.6.0
+	gopkg.in/go-jose/go-jose.v2 v2.6.3
 )
 
 require (
@@ -37,6 +37,7 @@ require (
 	golang.org/x/sys v0.28.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 

diff --git a/oidc_cli/go.sum b/oidc_cli/go.sum
@@ -106,6 +106,8 @@ google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
+gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

diff --git a/oidc_cli/oidc_impl/rsa-keygen.go b/oidc_cli/oidc_impl/rsa-keygen.go
@@ -8,7 +8,7 @@ import (
 	"os"
 
 	"golang.org/x/crypto/ssh"
-	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/go-jose/go-jose.v2"
 )
 
 // Generate new RSA keys.