Impact
ecdsa_verify_[prepare_]legacy() does not check whether the signature values r and s are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures.
Requiring multiple signatures from different public keys does not mitigate the issue: ecdsa_verify_list_legacy() will accept an arbitrary number of such forged signatures.
Both the ecdsautil verify CLI command and the libecdsautil library are affected.
The exact same vulnerability was recently found in the Java Runtime Environment (CVE-2022-21449).
Patches
The issue has been fixed in ecdsautils 0.4.1.
All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.
ecdsautils 0.4.1 is API- and ABI-compatible with version 0.4.0 (which is the same as version 0.3.2.20160630 found in the OpenWrt packages feed). The patch (commit 1d4b091) should also apply to older versions of ecdsautuils with minor adjustments.
Impact
ecdsa_verify_[prepare_]legacy()does not check whether the signature valuesrandsare non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures.Requiring multiple signatures from different public keys does not mitigate the issue:
ecdsa_verify_list_legacy()will accept an arbitrary number of such forged signatures.Both the
ecdsautil verifyCLI command and the libecdsautil library are affected.The exact same vulnerability was recently found in the Java Runtime Environment (CVE-2022-21449).
Patches
The issue has been fixed in ecdsautils 0.4.1.
All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.
ecdsautils 0.4.1 is API- and ABI-compatible with version 0.4.0 (which is the same as version 0.3.2.20160630 found in the OpenWrt packages feed). The patch (commit 1d4b091) should also apply to older versions of ecdsautuils with minor adjustments.