Lack of encoding checks allows a certain degree of signature malleability in ECDSA signatures #226
Comments
|
I've obtained a CVE with identifier 2020-13822 (in case developers want to refer to this problem) and the following description: The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature. |
|
The following links elaborate on the implications of signature malleability in the case of ECDSA: |
|
Is there any movement on this? any help needed? |
|
We are getting high severity vulnerability with "elliptic" package. Link: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484 Remediation: Any idea by when this can be fixed? |
|
We also facing the vulnerability issue with latest version of "elliptic" |
|
Guys, any pointers for this, we are getting the high severity vulnerability from sourceclear
|
|
Published 6.5.3 . It appears that it passes all tests. @adelapie would you feel like contributing the test suite to the library? It is unclear whether the code that you have submitted is under compatible license. |
|
@indutny - Still snyk throws high severity issue on 6.5.3 version. Please refer the below link for same. |
|
For the lack of better channels - I have sent them a DM on twitter 😂 Not sure what's the best way to handle this. |
Sure, please consider the code I submitted as public domain |
|
@indutny we review all new releases within 24 hours of when they are published - but we do need to manually verify things, so it's a slight delay between when you publish and when we update the DB (we just did that verification process now - and saw this update in this issue :) ) but you can always ping the security team at snyk direct using our email: report@snyk.io if you want to nudge us along or give us a heads up that you're readying a release!
|
|
sourceclear determined elliptic v6.5.3 to be safe version!!! |
|
Hooray. Thanks everyone! |
|
hello all, I went to sourceclear and it still shows the latest version has vulnerable. Which source should I believe? |
|
@indutny Looks like this issue can be closed since it was fixed w/ 6.5.3? Open status gives the impression that it's not fixed yet. |
|
Thanks for a reminder @williams-brian ! |
|
Hi I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project.
Could you please let me know the fix for this? I tried npm install elliptic@6.5.3 Thanks |
|
Hi, I'm also seeing this error. Or scans (using jFrog) are also picking up this violation, which states that both the infected and fixed versions are 6.5.3. Is there any movement on confirming this issue still exists/creating a fix? |
/tmp/aab $ npm init -y
Wrote to /private/tmp/aab/package.json:
{
"name": "aab",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
/tmp/aab $ npm install elliptic@6.5.3
added 8 packages, and audited 8 packages in 766ms
found 0 vulnerabilities
/tmp/aab $ npm audit
found 0 vulnerabilitiesSeems to be working alright on my end... |
Hello,
Using elliptic 6.5.2 I've found that the ECDSA verification functionality validates signatures as 'true' when the encoding is incorrect i.e. it has been modified / altered against the standard, allowing a certain degree of malleability in the signatures. Based on the Google Wycheproof test vectors, the following changes on an ECDSA signature are not detected:
See the proof of concept and test vectors below:
Test vectors:
The text was updated successfully, but these errors were encountered: