CVE-2021-38195

描述

libsecp256k1 accepts signatures whose R or S parameter is larger than the secp256k1 curve order, which differs from other implementations. This could lead to invalid signatures being verified. The error is resolved in 0.5.0 by adding a `check_overflow` flag.

受影響套件(2)

• crates.io/libsecp256k1from 0, < 0.5.0
• crates.io/libsecp256k1>= 0.0.0-0, < 0.5.0

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38195
• PATCHhttps://crates.io/crates/libsecp256k1
• PATCHhttps://github.com/paritytech/libsecp256k1
• WEBhttps://github.com/paritytech/libsecp256k1/pull/67
• WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0076.html