CVE-2022-24787

HIGH7.5EPSS 0.24%

Incorrect Comparison in Vyper

Published: 4/4/2022Modified: 12/5/2024

Description

### Impact bytestrings can have dirty bytes in them, resulting in the word-for-word comparison to give incorrect results, e.g. ```vyper b1: Bytes[32] = b"abcdef" b1 = slice(b1, 0, 1) b2: Bytes[32] = b"abcdef" t: bool = b1 == b2 # incorrectly evaluates to True ``` even without dirty nonzero bytes, because there is no comparison of the length, two bytestrings can compare to equal if one ends with `"\x00"`. ```vyper b1: Bytes[32] = b"abc\0" b2: Bytes[32] = b"abc" t: bool = b1 == b2 # incorrectly evaluates to True ``` ### Patches fixed in https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508

Affected packages (2)

PyPI/vyperfrom 0, < 0.3.2
PyPI/vyperfrom 0, < 2c73f8352635c0a433423a5b94740de1a118e508 | from 0, < 0.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (4)

PATCHhttps://github.com/vyperlang/vyper
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-196.yaml
WEBhttps://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508
WEBhttps://github.com/vyperlang/vyper/security/advisories/GHSA-7vrm-3jc8-5wwm