Package: ecdsautils | Debian Sources

Package: ecdsautils / 0.3.2+git20151018-2+deb10u1

Metadata

Package	Version	Patches format
ecdsautils	0.3.2+git20151018-2+deb10u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 verify fix signature verification CVE 2022 24884.patch \| (download)	src/ecdsa.c \| 11 11 + 0 - 0 ! 1 file changed, 11 insertions(+)	verify: fix signature verification (cve-2022-24884) Verify that r and s are non-zero. Without these checks, an all-zero signature is always considered valid. While it would be nicer to error out in ecdsa_verify_prepare_legacy() already, that would require users of libecdsautil to check a return value of the prepare step. To be safe, implement the fix in an API/ABI-compatible way that doesn't need changes to the users.

Patch

File delta

Description

0001 verify fix signature verification CVE 2022 24884.patch | (download)

src/ecdsa.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 verify: fix signature verification (cve-2022-24884)

Verify that r and s are non-zero. Without these checks, an all-zero
signature is always considered valid.

While it would be nicer to error out in ecdsa_verify_prepare_legacy()
already, that would require users of libecdsautil to check a return value
of the prepare step. To be safe, implement the fix in an API/ABI-compatible
way that doesn't need changes to the users.