[Security] update browserify-sign to the latest

Question

[Security] update browserify-sign to the latest

rastorc3v opened this issue 3 years ago · 3 comments

Current browserify-sign version has elliptic in dependency which contains security issue. Please update browserify-sign to fix it.

Answer 1 · 2024-02-26T18:02:07.000Z

Semgrep also calls this out with the following information:

Affected versions of browserify-sign are vulnerable to Improper Verification Of Cryptographic Signature. The vulnerability lies in the checkValue function incorrectly verifying the upper bounds of the r and s components in a signature, enabling attackers to manipulate the s component by setting it to the prime number q, thereby simulating a zero value for s and potentially resulting in the unauthorized acceptance of maliciously signed messages during signature verification.

Answer 2 · 2024-02-26T18:47:01.000Z

@mkilpatrick that sounds like something different - if elliptic has a vulnerability, then that package needs to fix it. The CVE you reference was fixed in browserify-sign 4-5 months ago (browserify/browserify-sign@85994cd) and is in v4.2.2 of that package.

Answer 3 · 2024-02-26T18:47:34.000Z

if elliptic has a vulnerability, then that package needs to fix it - if there's a specific CVE, please link it.