latest ed25519-dalek prev has sec bug #46
Security advisories found
2 advisory(ies), 2 unmaintained, 1 other
Details
Vulnerabilities
RUSTSEC-2022-0093
Double Public Key Signing Function Oracle Attack on
ed25519-dalek
Details | |
---|---|
Package | ed25519-dalek |
Version | 1.0.0-pre.3 |
URL | https://github.com/MystenLabs/ed25519-unsafe-libs |
Date | 2022-06-11 |
Patched versions | >=2 |
Versions of ed25519-dalek
prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair
, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.
Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S
part of the signature,
but not in the R
value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R
and only differ on the S
part.
Unfortunately, when this happens, one can easily extract the private key.
Revised public APIs in v2.0 of ed25519-dalek
do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.
RUSTSEC-2022-0090
libsqlite3-sys
via C SQLite CVE-2022-35737
Details | |
---|---|
Package | libsqlite3-sys |
Version | 0.20.1 |
URL | https://nvd.nist.gov/vuln/detail/CVE-2022-35737 |
Date | 2022-08-03 |
Patched versions | >=0.25.1 |
It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf
function.
As libsqlite3-sys
bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys
was updated to bundle the patched version of SQLite here.
Warnings
RUSTSEC-2020-0016
net2
crate has been deprecated; usesocket2
instead
Details | |
---|---|
Status | unmaintained |
Package | net2 |
Version | 0.2.39 |
URL | deprecrated/net2-rs@3350e38 |
Date | 2020-05-01 |
The net2
crate has been deprecated
and users are encouraged to considered socket2
instead.
RUSTSEC-2020-0056
stdweb is unmaintained
Details | |
---|---|
Status | unmaintained |
Package | stdweb |
Version | 0.4.20 |
URL | koute/stdweb#403 |
Date | 2020-05-04 |
The author of the stdweb
crate is unresponsive.
Maintained alternatives: