search

browserify / crypto-browserify

partial implementation of node's `crypto` for the browser
MIT License
653 stars 199 forks source link

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. #195

Closed bsomeshwer closed 3 years ago

bsomeshwer commented 3 years ago

Hi

Issue:

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, 
leading '\0' bytes, or integer overflows. 

This could conceivably have a security-relevant impact if an application relied on a  
single canonical signature. I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project.

Could you please let me know what could be the reason for this?

I tried npm install elliptic@6.5.3
and
npm audit fix
and I played around lot of other ways but still issue persists.

Thanks

Image reference:

Note: Actually, this issue is throwing by crypto-browserify. crypto-browserify is internally using few packages and those packages are internally using elliptic.

image

borisvida commented 3 years ago

It seems that it's needed to update create-ecdh and crypto-browserify dependencies, both should be already patched.

gustawdaniel commented 3 years ago

It can be updated now because of

it was fixed in 4.0.4

https://github.com/crypto-browserify/createECDH/releases

This pull request:

https://github.com/crypto-browserify/createECDH/pull/16

calvinmetcalf commented 3 years ago

this should automatically be included in the version range