From 1a18a429fc9cad5ae3594fffcd771ea2f6631fdd Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Sat, 25 Feb 2017 15:51:05 -0800 Subject: [PATCH] Advisory: sodiumoxide degenerate public keys Fixed in sodiumoxide 0.0.14. See: https://github.com/dnaq/sodiumoxide/issues/154 --- crates/sodiumoxide/RUSTSEC-0000-0000.toml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 crates/sodiumoxide/RUSTSEC-0000-0000.toml diff --git a/crates/sodiumoxide/RUSTSEC-0000-0000.toml b/crates/sodiumoxide/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..5df8d18 --- /dev/null +++ b/crates/sodiumoxide/RUSTSEC-0000-0000.toml @@ -0,0 +1,14 @@ +[advisory] +package = "sodiumoxide" +patched_versions = [">= 0.0.14"] +dwf = [] +url = "https://github.com/dnaq/sodiumoxide/issues/154" +title = "scalarmult() vulnerable to degenerate public keys" +description = """ +The `scalarmult()` function included in previous versions of this crate +accepted all-zero public keys, for which the resulting Diffie-Hellman shared +secret will always be zero regardless of the private key used. + +This issue was fixed by checking for this class of keys and rejecting them +if they are used. +"""