Package: ecdsautils / 0.3.2+git20151018-2+deb10u1
Metadata
Package | Version | Patches format |
---|---|---|
ecdsautils | 0.3.2+git20151018-2+deb10u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
0001 verify fix signature verification CVE 2022 24884.patch | (download) |
src/ecdsa.c |
11 11 + 0 - 0 ! |
verify: fix signature verification (cve-2022-24884) Verify that r and s are non-zero. Without these checks, an all-zero signature is always considered valid. While it would be nicer to error out in ecdsa_verify_prepare_legacy() already, that would require users of libecdsautil to check a return value of the prepare step. To be safe, implement the fix in an API/ABI-compatible way that doesn't need changes to the users. |
1