Please see the associated blog post for details.
Since versions of Go newer than 1.13.1 are patched, I;ve included a Dockerfile, that makes it easier to pin your Go version. Simply run Docker build:
docker build .
There are two files of interest:
dsa_test.go: Contains a test case for causingdsa.Verifyto panic/ssh_test.go: Contains a test case for making ancrypto/ssh.Clientto panic via an evil SSH Host Key.
Please open issues in Github for ideas, bugs, and general thoughts. Pull requests are of course preferred :)
poc-dsa-verify-CVE-2019-17596 is licensed under the Apache License, Version 2.0