The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows.

Question

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows.

bsomeshwer opened this issue 4 years ago · comments

Someshwer Bandapally commented 4 years ago

Hi

Issue:

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, 
leading '\0' bytes, or integer overflows.

This could conceivably have a security-relevant impact if an application relied on a  
single canonical signature. I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project.

Could you please let me know what could be the reason for this?

I tried npm install elliptic@6.5.3
and
npm audit fix
and I played around lot of other ways but still issue persists.

Thanks

Image reference:

Note: Actually, this issue is throwing by crypto-browserify. crypto-browserify is internally using few packages and those packages are internally using elliptic.

borisvida · Answer 1 · Wed Oct 14 2020 18:41:39 GMT+0800 (China Standard Time)

It seems that it's needed to update create-ecdh and crypto-browserify dependencies, both should be already patched.

Daniel Gustaw · Answer 2 · Fri Dec 18 2020 22:34:09 GMT+0800 (China Standard Time)

It can be updated now because of

it was fixed in 4.0.4

https://github.com/crypto-browserify/createECDH/releases

This pull request:

browserify/createECDH#16

Calvin Metcalf · Answer 3 · Fri Dec 18 2020 22:49:55 GMT+0800 (China Standard Time)

this should automatically be included in the version range