Impact of GHSA-wj6h-64fc-37mp on Python Bitbox package

BitBoxSwiss / bitbox02-firmware

Firmware code of the BitBox02 hardware wallet

https://bitbox.swiss/bitbox02

Apache License 2.0

216 stars 80 forks source link

Impact of GHSA-wj6h-64fc-37mp on Python Bitbox package #1168

Closed dspicher closed 5 months ago

dspicher commented 5 months ago

A timing attack has been published for signatures created with the ecdsa package on the P-256 curve.

As far as I can tell (grepping for NIST256p), P-256 usage in the bitbox02 package is restricted to verifying signatures. I would therefore conclude that the bitbox02 package is not affected by the vulnerability. Do you agree?

benma commented 5 months ago

Thanks! Yes, I agree.

dspicher commented 5 months ago

Great, thanks for the quick response.