[Bug 1231562] New: VUL-0: CVE-2024-48949: python-pytest-html: elliptic: Missing Validation in Elliptic's EDDSA Signature Verification
https://bugzilla.suse.com/show_bug.cgi?id=1231562 Bug ID: 1231562 Summary: VUL-0: CVE-2024-48949: python-pytest-html: elliptic: Missing Validation in Elliptic's EDDSA Signature Verification Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/423528/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2024-48949:8.2:(AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:L/A:N) Severity: Major Priority: P5 - None Component: Security Assignee: daniel.garcia@suse.com Reporter: andrea.mattiazzo@suse.com QA Contact: security-team@suse.de Blocks: 1231557 Target Milestone: --- Found By: --- Blocker: --- The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-48949 https://www.cve.org/CVERecord?id=CVE-2024-48949 https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c7... https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.6 https://bugzilla.redhat.com/show_bug.cgi?id=2317724 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231562 https://bugzilla.suse.com/show_bug.cgi?id=1231562#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- The packages below are or contain embedded packages that are vulnerable to CVE-2024-48949. Tracking as affected: - openSUSE:Factory/python-pytest-html contains embedded package: elliptic (6.5.4) - openSUSE:Factory/python-pytest-html contains embedded package: elliptic (6.5.5) Please consider version bumping or patching the affected dependencies. The listed codestreams are affected. All other codestreams should not be affected, but feel free to double-check. This is a auto-generated message, please reach out to the reporter directly if you think this is incorrect. No bug-owner found for these packages, if the assignation is not correct feel free to re-assign. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231562 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231562 Daniel Garcia <daniel.garcia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231562 Daniel Garcia <daniel.garcia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|daniel.garcia@suse.com |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com