-
Notifications
You must be signed in to change notification settings - Fork 941
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RUSTSEC-2022-0093 #4327
Comments
Will this be a patch-release in both cases? I hope 🤞 |
Thank you @jxs for raising attention for this. Trying to understand the impact of this vulnerability.
|
/// Try to parse a keypair from the [binary format](https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.5) | |
/// produced by [`Keypair::to_bytes`], zeroing the input on success. | |
/// | |
/// Note that this binary format is the same as `ed25519_dalek`'s and `ed25519_zebra`'s. | |
pub fn try_from_bytes(kp: &mut [u8]) -> Result<Keypair, DecodingError> { | |
ed25519::Keypair::from_bytes(kp) | |
.map(|k| { | |
kp.zeroize(); | |
Keypair(k) | |
}) | |
.map_err(|e| DecodingError::failed_to_parse("Ed25519 keypair", e)) | |
} |
I don't see how an attacker would be able to influence the input public key to extract the private key, as the latter is already known to the attacker at that point.
libp2p-noise
As far as I can tell libp2p-noise
, i.e. snow
, is using [curve25519‑dalek](https://github.com/dalek-cryptography/curve25519-dalek/blob/main/curve25519-dalek)
and not ed25519‑dalek. See snow
's Cargo.toml
.
The RUSTSEC is only for curve25519‑dalek.
@jxs am I missing something?
Ah, sorry for not being completely clear in the previous comment. |
A new version of snow has been released. |
Great. Would either of you @jxs or @kayabaNerve mind sending a pull request updating curve25519‑dalek across the project? |
Description
RUSTSEC-2022-0093 has just been issued which will make
cargo deny
fail on the CI. I tried updatingidentity
andnoise
that depend on it, but we are blocked by mcginty/snow#164The text was updated successfully, but these errors were encountered: