Permalink
Show file tree
Hide file tree
9 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
PrimeField: prevent infinite loop with composite primefields
- Loading branch information
1 parent
3b6030d
commit 6298d1c
Showing
2 changed files
with
8 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://news.sophos.com/en-us/2022/06/01/cve-2022-0778/ for more info
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any plans porting this to v2?
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@janedbal - no. The changed files do not even exist in the 2.0 branch:
https://github.com/phpseclib/phpseclib/tree/2.0.41/phpseclib/Math https://github.com/phpseclib/phpseclib/tree/2.0/phpseclib/Math
2.0 does not implement PrimeFields nor does it implement any feature that would even make use of them (eg. elliptic curves, GCM, UHASH) and I am not going to be backporting any of those features to the 2.0 branch.
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So is this report even valid? It says versions <= 2.0.41 are affected.
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The underlying issue is valid but the affected version is not valid. The affected versions for that issue are >= 3.0.0 < 3.0.19.
According to that report, using phpseclib 3.0.0 is all fine and dandy whilst 2.0.41 isn't, which is inaccurate.
I am in contact with the people who created the CVE to get it updated. idk how to create CVEs or if it's even possible to update them after the fact but fingers crossed🤞
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I already created fix-proposal github/advisory-database#1752 (hopefully I understood the form correctly), ok thx
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh - I didn't know that their advisory-database had a git repo. Thanks for that!
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a button for suggestions like this:

I used that.
6298d1cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah - I hadn't seen that.
Thanks!
That said, I just did a new release of 2.0. Obviously it doesn't fix the non-issue but even if github.com merges the PR there's still Roave/SecurityAdvisories#108 to consider.