Add svix signature verification issue (#1875)

2026-01-06 03:29:45 +01:00 · 2024-02-06 12:55:25 -05:00
parent 1d2202ea2b
commit d3d8d65101
1 changed files with 21 additions and 0 deletions
--- a/crates/svix/RUSTSEC-0000-0000.md
+++ b/crates/svix/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "svix"
+date = "2024-02-06"
+url = "https://github.com/svix/svix-webhooks/pull/1190"
+categories = ["crypto-failure"]
+
+[affected]
+functions = { "svix::webhooks::Webhook::verify" = ["< 1.17.0"] }
+
+[versions]
+patched = [">= 1.17.0"]
+```
+
+# Improper comparison of different-length signatures
+
+The `Webhook::verify` function incorrectly compared signatures of
+different lengths - the two signatures would only be compared up to
+the length of the shorter signature. This allowed an attacker to
+pass in `v1,` as the signature, which would always pass verification.