Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2022-0093 #4327

Closed
jxs opened this issue Aug 14, 2023 · 5 comments · Fixed by #4337
Closed

RUSTSEC-2022-0093 #4327

jxs opened this issue Aug 14, 2023 · 5 comments · Fixed by #4337

Comments

@jxs
Copy link
Member

jxs commented Aug 14, 2023
edited

Description

RUSTSEC-2022-0093 has just been issued which will make cargo deny fail on the CI. I tried updating identity and noise that depend on it, but we are blocked by mcginty/snow#164
@aatifsyed aatifsyed mentioned this issue Aug 14, 2023
Closed
@thomaseizinger
Copy link
Contributor

Will this be a patch-release in both cases? I hope 🤞

@mxinden
Copy link
Member

mxinden commented Aug 15, 2023
edited

Thank you @jxs for raising attention for this.

Trying to understand the impact of this vulnerability.

libp2p-identity

When creating a Keypair, we use the bytes representation which contains both the public and the private key.

rust-libp2p/identity/src/ed25519.rs

Lines 48 to 59 in 2c4c961

/// Try to parse a keypair from the [binary format](https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.5)
/// produced by [`Keypair::to_bytes`], zeroing the input on success.
///
/// Note that this binary format is the same as `ed25519_dalek`'s and `ed25519_zebra`'s.
pub fn try_from_bytes(kp: &mut [u8]) -> Result<Keypair, DecodingError> {
ed25519::Keypair::from_bytes(kp)
.map(|k| {
kp.zeroize();
Keypair(k)
})
.map_err(|e| DecodingError::failed_to_parse("Ed25519 keypair", e))
}

I don't see how an attacker would be able to influence the input public key to extract the private key, as the latter is already known to the attacker at that point.

libp2p-noise

As far as I can tell libp2p-noise, i.e. snow, is using [curve25519‑dalek](https://github.com/dalek-cryptography/curve25519-dalek/blob/main/curve25519-dalek) and not ed25519‑dalek. See snow's Cargo.toml.

The RUSTSEC is only for curve25519‑dalek.

@jxs am I missing something?

@jxs
Copy link
Member Author

jxs commented Aug 15, 2023
edited by thomaseizinger

Ah, sorry for not being completely clear in the previous comment.
The RUSTSEC is for ed25519-dalek which we use on identity. When i tried updating it, it conflicts with snow as snow uses curve25519-dalek =4.0.0-rc.1 which conflicts with updating ed25519-dalek to 2.0.0 because it uses curve25519-dalek 4.0.0

@jxs jxs mentioned this issue Aug 15, 2023
Closed
@elliedavidson elliedavidson mentioned this issue Aug 15, 2023
Merged
This was referenced Aug 15, 2023
Closed
Closed
@jimmygchen jimmygchen mentioned this issue Aug 15, 2023
Closed
@andresilva andresilva mentioned this issue Aug 16, 2023
Merged
@kayabaNerve
Copy link
Contributor

A new version of snow has been released.

@mxinden
Copy link
Member

mxinden commented Aug 17, 2023

Great. Would either of you @jxs or @kayabaNerve mind sending a pull request updating curve25519‑dalek across the project?

@jxs jxs mentioned this issue Aug 17, 2023
Merged
4 tasks
@elliedavidson elliedavidson mentioned this issue Aug 18, 2023
Closed
@thomaseizinger thomaseizinger mentioned this issue Aug 21, 2023
Merged
4 tasks
@altonen altonen mentioned this issue Aug 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deps(identity): update ed25519-dalek to 2.0 jxs/rust-libp2p
4 participants
@jxs @thomaseizinger @mxinden @kayabaNerve