Affected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid.
This allows an attacker to impersonate any node identity.
libp2p-noise 0.6.0
This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
libp2p-noise
(13 total, 10 outdated, 5 possibly insecure)
Crate | Required | Latest | Status |
---|---|---|---|
bytes | ^0.4 | 1.10.1 | out of date |
curve25519-dalek ⚠️ | ^1 | 4.1.3 | out of date |
futures | ^0.1 | 0.3.31 | out of date |
lazy_static | ^1.2 | 1.5.0 | up to date |
libp2p-core ⚠️ | ^0.8.0 | 0.43.1 | out of date |
log | ^0.4 | 0.4.27 | up to date |
protobuf ⚠️ | ^2.3 | 3.7.2 | out of date |
rand | ^0.6.5 | 0.9.1 | out of date |
ring ⚠️ | ^0.14 | 0.17.14 | out of date |
snow ⚠️ | ^0.5.2 | 0.9.6 | out of date |
tokio-io | ^0.1 | 0.1.13 | up to date |
x25519-dalek | ^0.5 | 2.0.1 | out of date |
zeroize | ^0.5 | 1.8.1 | out of date |
(5 total, 4 outdated, 1 possibly insecure)
Crate | Required | Latest | Status |
---|---|---|---|
env_logger | ^0.6 | 0.11.8 | out of date |
libp2p-tcp | ^0.8.0 | 0.44.0 | out of date |
quickcheck | ^0.8 | 1.0.3 | out of date |
sodiumoxide | ^0.2 | 0.2.7 | up to date |
tokio ⚠️ | ^0.1 | 1.46.1 | out of date |
libp2p-core
: Failure to properly verify ed25519 signatures makes any signature validAffected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid.
This allows an attacker to impersonate any node identity.
tokio
: Data race when sending and receiving after closing a `oneshot` channelIf a tokio::sync::oneshot
channel is closed (via the
oneshot::Receiver::close
method), a data race may occur if the
oneshot::Sender::send
method is called while the corresponding
oneshot::Receiver
is await
ed or calling try_recv
.
When these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to cause memory corruption.
Note that the race only occurs when both halves of the channel are used
after the Receiver
half has called close
. Code where close
is not used, or where the
Receiver
is not await
ed and try_recv
is not called after calling close
,
is not affected.
See tokio#4225 for more details.
snow
: Unauthenticated Nonce Increment in snowThere was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with privileges to inject packets into the channel over which the Noise session operates, this could allow a denial-of-service attack which could prevent message delivery by sending garbage data.
Note that this only affects those who are using the stateful TransportState, not those using StatelessTransportState.
This has been patched in version 0.9.5, and all users are recommended to update.
curve25519-dalek
: Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`Timing variability of any kind is problematic when working with potentially secret values such as
elliptic curve scalars, and such issues can potentially leak private keys and other secrets. Such a
problem was recently discovered in curve25519-dalek
.
The Scalar29::sub
(32-bit) and Scalar52::sub
(64-bit) functions contained usage of a mask value
inside a loop where LLVM saw an opportunity to insert a branch instruction (jns
on x86) to
conditionally bypass this code section when the mask value is set to zero as can be seen in godbolt:
A similar problem was recently discovered in the Kyber reference implementation:
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ
As discussed on that thread, one portable solution, which is also used in this PR, is to introduce a volatile read as an optimization barrier, which prevents the compiler from optimizing it away.
The fix can be validated in godbolt here:
The problem was discovered and the solution independently verified by Alexander Wagner [email protected] and Lea Themint [email protected] using their DATA tool:
protobuf
: Crash due to uncontrolled recursion in protobuf crateAffected version of this crate did not properly parse unknown fields when parsing a user-supplied input.
This allows an attacker to cause a stack overflow when parsing the mssage on untrusted data.
ring
: Some AES functions may panic when overflow checking is enabled.ring::aead::quic::HeaderProtectionKey::new_mask()
may panic when overflow
checking is enabled. In the QUIC protocol, an attacker can induce this panic by
sending a specially-crafted packet. Even unintentionally it is likely to occur
in 1 out of every 2**32 packets sent and/or received.
On 64-bit targets operations using ring::aead::{AES_128_GCM, AES_256_GCM}
may
panic when overflow checking is enabled, when encrypting/decrypting approximately
68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols
like TLS and SSH are not affected by this because those protocols break large
amounts of data into small chunks. Similarly, most applications will not
attempt to encrypt/decrypt 64GB of data in one chunk.
Overflow checking is not enabled in release mode by default, but
RUSTFLAGS="-C overflow-checks"
or overflow-checks = true
in the Cargo.toml
profile can override this. Overflow checking is usually enabled by default in
debug mode.