Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency @openzeppelin/contracts to v4.9.6 [security] #163

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @openzeppelin/contracts to v4.9.6 [security] #163

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 29, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@openzeppelin/contracts (source) 4.9.3 -> 4.9.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-27094

Impact

The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer.

Although the encode function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios:

  • A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.
  • The memory pointer is set to a non-empty memory location before allocating the input.

Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker.

Patches

Upgrade to 5.0.2 or 4.9.6.

References

This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@​rileyholterhus on X)

Release Notes

OpenZeppelin/openzeppelin-contracts (@​openzeppelin/contracts)

v4.9.6

Compare Source

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#​4929)

v4.9.5

Compare Source

  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

v4.9.4

Compare Source

  • ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Kolkata, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the renovate label Feb 29, 2024
@vercel Vercel
Copy link

vercel bot commented Feb 29, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
sway ❌ Failed (Inspect) Feb 29, 2024 10:12pm
sway-static ❌ Failed (Inspect) Feb 29, 2024 10:12pm

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 29, 2024

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Internal Error: Error when performing the request to https://registry.npmjs.org/yarn; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
    at fetch (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:22882:11)
    at async fetchAsJson (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:22896:20)
    at async fetchLatestStableVersion (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:22948:20)
    at async fetchLatestStableVersion2 (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:22971:14)
    at async Engine.getDefaultVersion (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:23349:25)
    at async executePackageManagerRequest (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:24207:28)
    at async BinaryCommand.validateAndExecute (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:21173:22)
    at async _Cli.run (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:22148:18)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:24279:12)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants