Critical vulnerability in v1.2.0

Question

Critical vulnerability in v1.2.0

vdhanan opened this issue 3 years ago · 7 comments

opaque-ke 1.2.0 depends on curve25519-dalek 3, which in turn depends on rand_core 0.5.1. This version of rand_core has a critical bug. I think we can fix this by patching v1.2 of opaque-ke to use the same version of curve25519-dalek that is used on master. Thoughts?

Answer 1 · 2022-04-27T23:59:07.000Z

Link to our Dependabot alert: https://github.com/CommE2E/comm/security/dependabot/76

Answer 2 · 2022-04-28T01:00:47.000Z

@vdhanan: The link you provided above returns a 404 for me. Can you provide a new one, or one for the critical bug in rand_core?

Answer 3 · 2022-04-28T01:11:20.000Z

@kevinlewi sorry about that! here's a screenshot:

Answer 4 · 2022-04-28T01:11:46.000Z

And here's the CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27378

Answer 5 · 2022-04-28T01:15:32.000Z

From https://nvd.nist.gov/vuln/detail/CVE-2021-27378 ,

From (including)0.6.0 | Up to (excluding)0.6.2

So it looks like rand_core v0.5 is unaffected. This also matches what I expected see on crates.io for the package, https://crates.io/crates/rand_core/versions (versions 0.6.0 and 0.6.1 were yanked, but 0.5.1 is still up)

Answer 6 · 2022-04-28T01:17:08.000Z

Closing as this is not a vulnerability (but feel free to reopen if you think there is more discussion to be had...!)

Answer 7 · 2022-04-28T16:28:11.000Z

Looks like dependabot was wrong! Sorry about that!