GHSA-fr8m-434r-g3xp: gnark-crypto doesn't range check input values during ECDSA and EdDSA signature deserialization
During deserialization of ECDSA and EdDSA signatures gnark-crypto did not check that the values are in the range [1, n-1] with n being the corresponding modulus (either base field modulus in case of R in EdDSA, and scalar field modulus in case of s,r in ECDSA and s in EdDSA). As this also allowed zero inputs, then it was possible to craft a signature which lead to null pointer dereference, leading to denial-of-service of an application. This also enabled weak signature malleability when the users assumed uniqueness of the serialized signatures (but not the underlying modulo reduced values).
We are not aware of any users impacted by the bug. The implemented signature schemes in gnark-crypto complement the in-circuit versions in gnark, allowing to have end-to-end tests.
References
- github.com/Consensys/gnark-crypto
- github.com/Consensys/gnark-crypto/pull/449
- github.com/Consensys/gnark-crypto/releases/tag/v0.12.0
- github.com/Consensys/gnark-crypto/security/advisories/GHSA-fr8m-434r-g3xp
- github.com/advisories/GHSA-9xfq-8j3r-xp5g
- github.com/advisories/GHSA-fr8m-434r-g3xp
- go.dev/blog/defer-panic-and-recover
Code Behaviors & Features
Detect and mitigate GHSA-fr8m-434r-g3xp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →