ecdsautils is vulnerable to signature verfication bypass. ecdsa_verify_[prepare_]legacy()
does not check whether the signature values r
and s
are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: ecdsa_verify_list_legacy()
will accept an arbitrary number of such forged signatures. Both the ecdsautil verify
CLI command and the libecdsautil library are affected.
github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08
github.com/freifunk-gluon/ecdsautils/commit/39b6d0a77414fd41614953a0e185c4eefa2f88ad
github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw
lists.debian.org/debian-lts-announce/2022/05/msg00007.html
lists.fedoraproject.org/archives/list/[email protected]/message/4AKQH5WCBMJA3ODCSNERY6HVX4BX3ITG/
lists.fedoraproject.org/archives/list/[email protected]/message/G2JT57AAFIEL7JDO2ZBV25JKYME5NU54/
lists.fedoraproject.org/archives/list/[email protected]/message/L7UBR3M4U3LA46BHXYSH7EN5GDG44GK7/
security-tracker.debian.org/tracker/CVE-2022-24884
www.debian.org/security/2022/dsa-5132