Affected versions of this crate allowed unsoundly extending
lifetimes using arr!
macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.
solana-sdk 0.22.8
This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
solana-sdk
(25 total, 14 outdated, 2 possibly insecure)
Crate | Required | Latest | Status |
---|---|---|---|
assert_matches | ^1.3.0 | 1.5.0 | up to date |
bincode | ^1.2.1 | 1.3.3 | up to date |
bs58 | ^0.3.0 | 0.5.1 | out of date |
byteorder | ^1.3.2 | 1.5.0 | up to date |
ed25519-dalek ⚠️ | =1.0.0-pre.1 | 2.1.1 | out of date |
generic-array ⚠️ | ^0.13.2 | 1.0.0 | out of date |
hex | ^0.4.0 | 0.4.3 | up to date |
hmac | ^0.7.0 | 0.12.1 | out of date |
itertools | ^0.8.2 | 0.12.1 | out of date |
log | ^0.4.8 | 0.4.21 | up to date |
memmap | ^0.6.2 | 0.7.0 | out of date |
num-derive | ^0.3 | 0.4.2 | out of date |
num-traits | ^0.2 | 0.2.18 | up to date |
pbkdf2 | ^0.3.0 | 0.12.2 | out of date |
rand | ^0.6.5 | 0.8.5 | out of date |
rand_chacha | ^0.1.1 | 0.3.1 | out of date |
serde | ^1.0.104 | 1.0.200 | up to date |
serde_bytes | ^0.11 | 0.11.14 | up to date |
serde_derive | ^1.0.103 | 1.0.200 | up to date |
serde_json | ^1.0.44 | 1.0.116 | up to date |
sha2 | ^0.8.0 | 0.10.8 | out of date |
solana-crate-features | ^0.22.8 | 1.8.16 | out of date |
solana-logger | ^0.22.8 | 1.18.12 | out of date |
solana-sdk-macro | ^0.22.8 | 1.18.12 | out of date |
thiserror | ^1.0 | 1.0.59 | up to date |
(1 total, 1 outdated)
Crate | Required | Latest | Status |
---|---|---|---|
tiny-bip39 | ^0.6.2 | 1.0.0 | out of date |
generic-array
: arr! macro erases lifetimesAffected versions of this crate allowed unsoundly extending
lifetimes using arr!
macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.
ed25519-dalek
: Double Public Key Signing Function Oracle Attack on `ed25519-dalek`Versions of ed25519-dalek
prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair
, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.
Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S
part of the signature,
but not in the R
value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R
and only differ on the S
part.
Unfortunately, when this happens, one can easily extract the private key.
Revised public APIs in v2.0 of ed25519-dalek
do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.