Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability on dependency libsecp256k1 #1192

Closed
Tracked by #1231
emmanuelm41 opened this issue Jul 13, 2021 · 5 comments · Fixed by #1244
Closed
Tracked by #1231

Security vulnerability on dependency libsecp256k1 #1192

emmanuelm41 opened this issue Jul 13, 2021 · 5 comments · Fixed by #1244
Assignees
@ec2
Labels
Priority: 1 - Critical Requires immediate attention

Comments

@emmanuelm41
Copy link

Issue summary
Today some vulnerability was discovered on one of the crate the lib uses. This is the link to that issue. Now, when an app runs cargo audit it fails as this new bug was discovered. If you try to update it, the building process fails.

Other information and links
Cargo audit partial output:

Crate:         libsecp256k1
Version:       0.3.5
Title:         libsecp256k1 allows overflowing signatures
Date:          2021-07-13
ID:            RUSTSEC-2021-0076
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0076
Solution:      Upgrade to >=0.5.0
@emmanuelm41 emmanuelm41 added the Status: Needs Triage Issue has unresolved discussions and/or needs to be assigned a priority and assignee label Jul 13, 2021
@emmanuelm41 emmanuelm41 changed the title Security vulne libsecp256k1 crate to 0.5.0 Security vulnerability on dependency libsecp256k1 Jul 13, 2021
@emmanuelm41 emmanuelm41 mentioned this issue Jul 13, 2021
Closed
@cryptoquick
Copy link
Contributor

We believe this issue might be solved by upgrading libp2p. We'd like to take care of that before addressing this directly, since that might take care of it.

@rllola
Copy link

rllola commented Aug 5, 2021

@cryptoquick I think you need to upgrade libsecp256k1 to 0.5.0 or 0.6.0.

see https://github.com/ChainSafe/forest/blob/main/crypto/Cargo.toml#L16

@cryptoquick cryptoquick mentioned this issue Aug 5, 2021
Closed
@cryptoquick
Copy link
Contributor

Heh, unfortunately, it's not quite that simple. @rllola I should rephrase, we need to update libp2p before this issue can be solved, since it also depends on the older version of the crate. So it's not quite that simple. However, I got work started towards this issue in #1202.

@cryptoquick cryptoquick self-assigned this Aug 5, 2021
@alexkarasyov alexkarasyov removed the Status: Needs Triage Issue has unresolved discussions and/or needs to be assigned a priority and assignee label Aug 6, 2021
@ec2 ec2 self-assigned this Sep 27, 2021
@lerajk lerajk added the Priority: 2 - High Very important and should be addressed ASAP label Sep 27, 2021
@q9f q9f mentioned this issue Sep 28, 2021
Closed
20 tasks
@q9f q9f added Priority: 1 - Critical Requires immediate attention and removed Priority: 2 - High Very important and should be addressed ASAP labels Sep 28, 2021
@q9f q9f mentioned this issue Sep 28, 2021
Closed
@ec2 ec2 linked a pull request Oct 15, 2021 that will close this issue
Bump libsecp256k1 and statrs #1244
Merged
@q9f q9f closed this as completed in #1244 Oct 18, 2021
@rllola
Copy link

rllola commented Oct 20, 2021

Hi @q9f
We are happy to see this issue closed. Are you planning to release those changes soon ?

@ec2
Copy link
Member

ec2 commented Oct 20, 2021

Yes. We can release these crates next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ec2 ec2

Labels
Priority: 1 - Critical Requires immediate attention
Projects
None yet
Milestone
No milestone
7 participants
@cryptoquick @rllola @alexkarasyov @ec2 @emmanuelm41 @lerajk @q9f