[Security] Bump browserify-sign from 4.2.1 to 4.2.2 in /assets
Bumps browserify-sign from 4.2.1 to 4.2.2. This update includes a security fix.
Vulnerabilities fixed
browserify-sign upper bound check issue in
dsaVerify
leads to a signature forgery attackSummary
An upper bound check issue in
dsaVerify
function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.Details
In
dsaVerify
function, it checks whether the value of the signature is legal by calling functioncheckValue
, namely, whetherr
ands
are both in the interval[1, q - 1]
. However, the second line of thecheckValue
function wrongly checks the upper bound of the passed parameters, since the value ofb.cmp(q)
can only be0
,1
and-1
, and it can never be greater thanq
.In this way, although the values of
s
cannot be0
, an attacker can achieve the same effect as zero by setting its value toq
, and then send(r, s) = (1, q)
to pass the verification of any public key.Impact
All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.
Fix PR:
Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip
Patched versions: 4.2.2 Affected versions: >= 2.6.0, <= 4.2.1
Changelog
Sourced from browserify-sign's changelog.
v4.2.2 - 2023-10-25
Fixed
- [Tests] log when openssl doesn't support cipher
[#37](https://github.com/crypto-browserify/browserify-sign/issues/37)
Commits
- Only apps should have lockfiles
09a8995
- [eslint] switch to eslint
83fe463
- [meta] add
npmignore
andauto-changelog
4418183
- [meta] fix package.json indentation
9ac5a5e
- [Tests] migrate from travis to github actions
d845d85
- [Fix]
sign
: throw on unsupported padding scheme8767739
- [Fix] properly check the upper bound for DSA signatures
85994cd
- [Tests] handle openSSL not supporting a scheme
f5f17c2
- [Deps] update
bn.js
,browserify-rsa
,elliptic
,parse-asn1
,readable-stream
,safe-buffer
a67d0eb
- [Dev Deps] update
nyc
,standard
,tape
cc5350b
- [Tests] always run coverage; downgrade
nyc
75ce1d5
- [meta] add
safe-publish-latest
dcf49ce
- [Tests] add
npm run posttest
75dd8fd
- [Dev Deps] update
tape
3aec038
- [Tests] skip unsupported schemes
703c83e
- [Tests] node < 6 lacks array
includes
3aa43cf
- [Dev Deps] fix eslint range
98d4e0d
Commits
-
4af5a90
v4.2.2 -
3aec038
[Dev Deps] updatetape
-
85994cd
[Fix] properly check the upper bound for DSA signatures -
9ac5a5e
[meta] fix package.json indentation -
dcf49ce
[meta] addsafe-publish-latest
-
4418183
[meta] addnpmignore
andauto-changelog
-
8767739
[Fix]sign
: throw on unsupported padding scheme -
5f6fb17
[Tests] log when openssl doesn't support cipher -
f5f17c2
[Tests] handle openSSL not supporting a scheme -
d845d85
[Tests] migrate from travis to github actions - Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.