Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
---|---|---|---|---|---|---|
0001-verify-fix-signature-verification-CVE-2022-24884.patch | verify: fix signature verification (CVE-2022-24884) Verify that r and s are non-zero. Without these checks, an all-zero signature is always considered valid. While it would be nicer to error out in ecdsa_verify_prepare_legacy() already, that would require users of libecdsautil to check a return value of the prepare step. To be safe, implement the fix in an API/ABI-compatible way that doesn't need changes to the users. |
Matthias Schiffer <mschiffer@universe-factory.net> | no | backport, https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 | 2022-04-20 |