komodo master: 1 vulnerabilities (highest severity is: 5.3) #630
Comments
|
Thanks for bringing this to our attention. The vulnerable Regarding the CC library, we are actively working on a fix. One possible solution is switching to Stay tuned for updates with more information, and thank you once again. I also want to explicitly mention that KMD is not affected by |
Correct, just wanted to pass on what came through the checks in my fork. |
|
Btw, this code isn’t only present in the CC library or As for CC itself, if I recall correctly, Ed25519 signatures aren’t used for anything critical in |
- #630 - https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/#vuln-ed25519 Actually, the current CC code doesn’t use Ed25519 signatures, so `CVE-2024-45193` has no impact on Komodo (KMD) or any existing assetchains. However, since CC could potentially use these types of signatures in the future (e.g., for newly developed CCs), we’ve added a `0 <= s < L` check to prevent signature malleability.
- KomodoPlatform/komodo#630 - https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/#vuln-ed25519 Actually, the current CC code doesn’t use Ed25519 signatures, so `CVE-2024-45193` has no impact on Komodo (KMD) or any existing assetchains. However, since CC could potentially use these types of signatures in the future (e.g., for newly developed CCs), we’ve added a `0 <= s < L` check to prevent signature malleability.
* cc: fix ed25519 signatures malleability - #630 - https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/#vuln-ed25519 Actually, the current CC code doesn’t use Ed25519 signatures, so `CVE-2024-45193` has no impact on Komodo (KMD) or any existing assetchains. However, since CC could potentially use these types of signatures in the future (e.g., for newly developed CCs), we’ve added a `0 <= s < L` check to prevent signature malleability. * add ed25519 signature malleability test * use int instead of size_t in 0 <= s < L check loop using a signed integer type (int) is preferable here, to avoid potential issues with unsigned underflow. * cc: test, update pytest ver. requirement addressed in #631
|
Closed as fixed in #632 . |
Komodo
Library home page: https://github.com/KomodoPlatform/komodo.git
Found in HEAD commit: 0adeeabdd484ef40539d1275c6a765f5c530ea79
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - komodo
Komodo
Library home page: https://github.com/KomodoPlatform/komodo.git
Found in HEAD commit: 0adeeabdd484ef40539d1275c6a765f5c530ea79
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in Matrix libolm through 3.2.16. There is Ed25519 signature malleability due to lack of validation criteria (does not ensure that S < n). This refers to the libolm implementation of Olm. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2024-08-22
URL: CVE-2024-45193
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.The text was updated successfully, but these errors were encountered: