Bug ID 1232548
Summary VUL-0: CVE-2024-42460,CVE-2024-42461,CVE-2024-42459: deepin-manual: elliptic: Multiple vulnerabilities fixed in elliptic version 6.5.7
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.5
Hardware Other
URL https://smash.suse.de/issue/416168/
OS Other
Status NEW
Whiteboard CVSSv3.1:SUSE:CVE-2024-42459:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2024-42460:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2024-42461:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter gianluca.gabrielli@suse.com
QA Contact security-team@suse.de
Blocks 1232538
Target Milestone ---
Found By ---
Blocker ---

Comment # 1 on bug 1232548 from Gianluca Gabrielli 
CVE-2024-42459:
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs
because there is a missing signature length check, and thus zero-valued bytes
can be removed or appended.

CVE-2024-42460:
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs
because there is a missing check for whether the leading bit of r and s is
zero.

CVE-2024-42461:
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs
because BER-encoded signatures are allowed.

The upstream fix for all the above mentioned CVEs is accb61e [0] and was part
of version 6.5.7.

References:
https://github.com/indutny/elliptic/pull/317


[0]
https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11

You are receiving this mail because: