dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump browserify-sign from 4.2.1 to 4.2.2 #1534

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-browserify-sign-4.2.2 into master 2023-10-27 09:20:02 +00:00
Conversation 1 Commits 1 Files Changed 1
+15 -15
argoyle commented 2023-10-27 04:42:19 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps browserify-sign from 4.2.1 to 4.2.2. This update includes a security fix.

Vulnerabilities fixed

browserify-sign upper bound check issue in dsaVerify leads to a signature forgery attack

Summary

An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.

Details

In dsaVerify function, it checks whether the value of the signature is legal by calling function checkValue, namely, whether r and s are both in the interval [1, q - 1]. However, the second line of the checkValue function wrongly checks the upper bound of the passed parameters, since the value of b.cmp(q) can only be 0, 1 and -1, and it can never be greater than q.

In this way, although the values of s cannot be 0, an attacker can achieve the same effect as zero by setting its value to q, and then send (r, s) = (1, q) to pass the verification of any public key.

Impact

All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.

Fix PR:

Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip

Patched versions: 4.2.2 Affected versions: >= 2.6.0, <= 4.2.1

Changelog

Sourced from browserify-sign's changelog.

v4.2.2 - 2023-10-25

Fixed

Commits

  • Only apps should have lockfiles 09a8995
  • [eslint] switch to eslint 83fe463
  • [meta] add npmignore and auto-changelog 4418183
  • [meta] fix package.json indentation 9ac5a5e
  • [Tests] migrate from travis to github actions d845d85
  • [Fix] sign: throw on unsupported padding scheme 8767739
  • [Fix] properly check the upper bound for DSA signatures 85994cd
  • [Tests] handle openSSL not supporting a scheme f5f17c2
  • [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
  • [Dev Deps] update nyc, standard, tape cc5350b
  • [Tests] always run coverage; downgrade nyc 75ce1d5
  • [meta] add safe-publish-latest dcf49ce
  • [Tests] add npm run posttest 75dd8fd
  • [Dev Deps] update tape 3aec038
  • [Tests] skip unsupported schemes 703c83e
  • [Tests] node < 6 lacks array includes 3aa43cf
  • [Dev Deps] fix eslint range 98d4e0d
Commits
  • 4af5a90 v4.2.2
  • 3aec038 [Dev Deps] update tape
  • 85994cd [Fix] properly check the upper bound for DSA signatures
  • 9ac5a5e [meta] fix package.json indentation
  • dcf49ce [meta] add safe-publish-latest
  • 4418183 [meta] add npmignore and auto-changelog
  • 8767739 [Fix] sign: throw on unsupported padding scheme
  • 5f6fb17 [Tests] log when openssl doesn't support cipher
  • f5f17c2 [Tests] handle openSSL not supporting a scheme
  • d845d85 [Tests] migrate from travis to github actions
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [browserify-sign](https://github.com/crypto-browserify/browserify-sign) from 4.2.1 to 4.2.2. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>browserify-sign upper bound check issue in <code>dsaVerify</code> leads to a signature forgery attack</strong></p> <h3>Summary</h3> <p>An upper bound check issue in <code>dsaVerify</code> function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.</p> <h3>Details</h3> <p>In <code>dsaVerify</code> function, it checks whether the value of the signature is legal by calling function <code>checkValue</code>, namely, whether <code>r</code> and <code>s</code> are both in the interval <code>[1, q - 1]</code>. However, the second line of the <code>checkValue</code> function wrongly checks the upper bound of the passed parameters, since the value of <code>b.cmp(q)</code> can only be <code>0</code>, <code>1</code> and <code>-1</code>, and it can never be greater than <code>q</code>.</p> <p>In this way, although the values of <code>s</code> cannot be <code>0</code>, an attacker can achieve the same effect as zero by setting its value to <code>q</code>, and then send <code>(r, s) = (1, q)</code> to pass the verification of any public key.</p> <h3>Impact</h3> <p>All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.</p> <h3>Fix PR:</h3> <p>Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: <a href="https://github.com/browserify/browserify-sign/files/13172957/PR.webarchive.zip">PR webarchive.zip</a></p> <p>Patched versions: 4.2.2 Affected versions: &gt;= 2.6.0, &lt;= 4.2.1</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md">browserify-sign's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/browserify/browserify-sign/compare/v4.2.1...v4.2.2">v4.2.2</a> - 2023-10-25</h2> <h3>Fixed</h3> <ul> <li>[Tests] log when openssl doesn't support cipher <a href="https://github.com/browserify/browserify-sign/issues/37"><code>[#37](https://github.com/crypto-browserify/browserify-sign/issues/37)</code></a></li> </ul> <h3>Commits</h3> <ul> <li>Only apps should have lockfiles <a href="https://github.com/browserify/browserify-sign/commit/09a89959393b3c89fedd4f7f3bafa4fec44371d7"><code>09a8995</code></a></li> <li>[eslint] switch to eslint <a href="https://github.com/browserify/browserify-sign/commit/83fe46374b819e959d56d2c0b931308f7451a664"><code>83fe463</code></a></li> <li>[meta] add <code>npmignore</code> and <code>auto-changelog</code> <a href="https://github.com/browserify/browserify-sign/commit/44181838e7dcc4d5d0c568f74312ea28f0bcdfd5"><code>4418183</code></a></li> <li>[meta] fix package.json indentation <a href="https://github.com/browserify/browserify-sign/commit/9ac5a5eaaac8a11eb70ec2febd13745c8764ae02"><code>9ac5a5e</code></a></li> <li>[Tests] migrate from travis to github actions <a href="https://github.com/browserify/browserify-sign/commit/d845d855def38e2085d5a21e447a48300f99fa60"><code>d845d85</code></a></li> <li>[Fix] <code>sign</code>: throw on unsupported padding scheme <a href="https://github.com/browserify/browserify-sign/commit/8767739a4516289568bcce9fed8a3b7e23478de9"><code>8767739</code></a></li> <li>[Fix] properly check the upper bound for DSA signatures <a href="https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30"><code>85994cd</code></a></li> <li>[Tests] handle openSSL not supporting a scheme <a href="https://github.com/browserify/browserify-sign/commit/f5f17c27f9824de40b5ce8ebd8502111203fd6af"><code>f5f17c2</code></a></li> <li>[Deps] update <code>bn.js</code>, <code>browserify-rsa</code>, <code>elliptic</code>, <code>parse-asn1</code>, <code>readable-stream</code>, <code>safe-buffer</code> <a href="https://github.com/browserify/browserify-sign/commit/a67d0eb4ffceabb366b69da69ce9a223e9d5e96b"><code>a67d0eb</code></a></li> <li>[Dev Deps] update <code>nyc</code>, <code>standard</code>, <code>tape</code> <a href="https://github.com/browserify/browserify-sign/commit/cc5350b96702fcba930e0662cf763844fd2f59bf"><code>cc5350b</code></a></li> <li>[Tests] always run coverage; downgrade <code>nyc</code> <a href="https://github.com/browserify/browserify-sign/commit/75ce1d5c49a6591dd13422016c07f8f9cae13371"><code>75ce1d5</code></a></li> <li>[meta] add <code>safe-publish-latest</code> <a href="https://github.com/browserify/browserify-sign/commit/dcf49ce85a1a66a6fb31689508d916d7894286a9"><code>dcf49ce</code></a></li> <li>[Tests] add <code>npm run posttest</code> <a href="https://github.com/browserify/browserify-sign/commit/75dd8fd6ce56eb37b12e30807e5f913867b21733"><code>75dd8fd</code></a></li> <li>[Dev Deps] update <code>tape</code> <a href="https://github.com/browserify/browserify-sign/commit/3aec0386dc8dfba8698be756ec770df863867c84"><code>3aec038</code></a></li> <li>[Tests] skip unsupported schemes <a href="https://github.com/browserify/browserify-sign/commit/703c83ea72db2f45714fe749c6f04b05243ca9a8"><code>703c83e</code></a></li> <li>[Tests] node &lt; 6 lacks array <code>includes</code> <a href="https://github.com/browserify/browserify-sign/commit/3aa43cfbc1fdde8481bcdd3bff581574159b869a"><code>3aa43cf</code></a></li> <li>[Dev Deps] fix eslint range <a href="https://github.com/browserify/browserify-sign/commit/98d4e0d7ff18871b0ca07415f758a610ccf8ebbe"><code>98d4e0d</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/browserify/browserify-sign/commit/4af5a90bf8acd9e76e5671dc0497f6ba71968a2c"><code>4af5a90</code></a> v4.2.2</li> <li><a href="https://github.com/browserify/browserify-sign/commit/3aec0386dc8dfba8698be756ec770df863867c84"><code>3aec038</code></a> [Dev Deps] update <code>tape</code></li> <li><a href="https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30"><code>85994cd</code></a> [Fix] properly check the upper bound for DSA signatures</li> <li><a href="https://github.com/browserify/browserify-sign/commit/9ac5a5eaaac8a11eb70ec2febd13745c8764ae02"><code>9ac5a5e</code></a> [meta] fix package.json indentation</li> <li><a href="https://github.com/browserify/browserify-sign/commit/dcf49ce85a1a66a6fb31689508d916d7894286a9"><code>dcf49ce</code></a> [meta] add <code>safe-publish-latest</code></li> <li><a href="https://github.com/browserify/browserify-sign/commit/44181838e7dcc4d5d0c568f74312ea28f0bcdfd5"><code>4418183</code></a> [meta] add <code>npmignore</code> and <code>auto-changelog</code></li> <li><a href="https://github.com/browserify/browserify-sign/commit/8767739a4516289568bcce9fed8a3b7e23478de9"><code>8767739</code></a> [Fix] <code>sign</code>: throw on unsupported padding scheme</li> <li><a href="https://github.com/browserify/browserify-sign/commit/5f6fb1755917851a40249db7d834da4265ed5950"><code>5f6fb17</code></a> [Tests] log when openssl doesn't support cipher</li> <li><a href="https://github.com/browserify/browserify-sign/commit/f5f17c27f9824de40b5ce8ebd8502111203fd6af"><code>f5f17c2</code></a> [Tests] handle openSSL not supporting a scheme</li> <li><a href="https://github.com/browserify/browserify-sign/commit/d845d855def38e2085d5a21e447a48300f99fa60"><code>d845d85</code></a> [Tests] migrate from travis to github actions</li> <li>Additional commits viewable in <a href="https://github.com/crypto-browserify/browserify-sign/compare/v4.2.1...v4.2.2">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~ljharb">ljharb</a>, a new releaser for browserify-sign since your current version.</p> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-10-27 04:42:27 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

restored source branch dependabot-npm_and_yarn-browserify-sign-4.2.2

restored source branch `dependabot-npm_and_yarn-browserify-sign-4.2.2`
argoyle (Migrated from gitlab.com) merged commit into master 2023-10-27 09:20:03 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security severity:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#1534
Delete Branch "dependabot-npm_and_yarn-browserify-sign-4.2.2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?