GHSA-x9w5-v3q2-3rhw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-x9w5-v3q2-3rhw/GHSA-x9w5-v3q2-3rhw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x9w5-v3q2-3rhw
- Aliases
- Published
- 2023-10-26T20:53:21Z
- Modified
- 2025-02-13T19:19:37Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
- Details
-
Summary
An upper bound check issue in
dsaVerifyfunction allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.Details
In
dsaVerifyfunction, it checks whether the value of the signature is legal by calling functioncheckValue, namely, whetherrandsare both in the interval[1, q - 1]. However, the second line of thecheckValuefunction wrongly checks the upper bound of the passed parameters, since the value ofb.cmp(q)can only be0,1and-1, and it can never be greater thanq.In this way, although the values of
scannot be0, an attacker can achieve the same effect as zero by setting its value toq, and then send(r, s) = (1, q)to pass the verification of any public key.Impact
All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.
Fix PR:
Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip
- Database specific
{ "github_reviewed_at": "2023-10-26T20:53:21Z", "github_reviewed": true, "severity": "HIGH", "nvd_published_at": "2023-10-26T15:15:09Z", "cwe_ids": [ "CWE-347" ] }- References
-
- https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
- https://nvd.nist.gov/vuln/detail/CVE-2023-46234
- https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
- https://github.com/browserify/browserify-sign
- https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ
- https://www.debian.org/security/2023/dsa-5539
Affected packages
npm / browserify-sign
Package
- Name
- browserify-sign
- View open source insights on deps.dev
- Purl
- pkg:npm/browserify-sign