-
Notifications
You must be signed in to change notification settings - Fork 397
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lack of encoding checks allows a certain degree of signature malleability in ECDSA signatures #226
Comments
I've obtained a CVE with identifier 2020-13822 (in case developers want to refer to this problem) and the following description: The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature. |
The following links elaborate on the implications of signature malleability in the case of ECDSA: |
Is there any movement on this? any help needed? |
We are getting high severity vulnerability with "elliptic" package. Link: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484 Remediation: Any idea by when this can be fixed? |
We also facing the vulnerability issue with latest version of "elliptic" |
Published 6.5.3 . It appears that it passes all tests. @adelapie would you feel like contributing the test suite to the library? It is unclear whether the code that you have submitted is under compatible license. |
@indutny - Still snyk throws high severity issue on 6.5.3 version. Please refer the below link for same. |
For the lack of better channels - I have sent them a DM on twitter 😂 Not sure what's the best way to handle this. |
Sure, please consider the code I submitted as public domain |
@indutny we review all new releases within 24 hours of when they are published - but we do need to manually verify things, so it's a slight delay between when you publish and when we update the DB (we just did that verification process now - and saw this update in this issue :) ) but you can always ping the security team at snyk direct using our email: [email protected] if you want to nudge us along or give us a heads up that you're readying a release!
|
sourceclear determined elliptic v6.5.3 to be safe version!!! |
Hooray. Thanks everyone! |
hello all, I went to sourceclear and it still shows the latest version has vulnerable. Which source should I believe? |
@indutny Looks like this issue can be closed since it was fixed w/ 6.5.3? Open status gives the impression that it's not fixed yet. |
Thanks for a reminder @williams-brian ! |
Hi I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project. Could you please let me know the fix for this? I tried npm install [email protected] Thanks |
/tmp/aab $ npm init -y
Wrote to /private/tmp/aab/package.json:
{
"name": "aab",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
/tmp/aab $ npm install [email protected]
added 8 packages, and audited 8 packages in 766ms
found 0 vulnerabilities
/tmp/aab $ npm audit
found 0 vulnerabilities Seems to be working alright on my end... |
Hello,
Using elliptic 6.5.2 I've found that the ECDSA verification functionality validates signatures as 'true' when the encoding is incorrect i.e. it has been modified / altered against the standard, allowing a certain degree of malleability in the signatures. Based on the Google Wycheproof test vectors, the following changes on an ECDSA signature are not detected:
See the proof of concept and test vectors below:
Test vectors:
The text was updated successfully, but these errors were encountered: