[Pkg-javascript-devel] Bug#1054667: Bug#1054667: node-browserify-sign: CVE-2023-46234
Salvatore Bonaccorso
carnil at debian.org
Sun Oct 29 07:33:03 GMT 2023
Hi Yadd,
On Sat, Oct 28, 2023 at 12:05:25PM +0400, Yadd wrote:
> On 10/27/23 20:20, Moritz Mühlenhoff wrote:
> > Source: node-browserify-sign
> > X-Debbugs-CC: team at security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for node-browserify-sign.
> >
> > CVE-2023-46234[0]:
> > | browserify-sign is a package to duplicate the functionality of
> > | node's crypto public key functions, much of this is based on Fedor
> > | Indutny's work on indutny/tls.js. An upper bound check issue in
> > | `dsaVerify` function allows an attacker to construct signatures that
> > | can be successfully verified by any public key, thus leading to a
> > | signature forgery attack. All places in this project that involve
> > | DSA verification of user-input signatures will be affected by this
> > | vulnerability. This issue has been patched in version 4.2.2.
> >
> > https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
> > https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2023-46234
> > https://www.cve.org/CVERecord?id=CVE-2023-46234
> >
> > Please adjust the affected versions in the BTS as needed.
>
> Hi,
>
> please find attached the debdiff for Bookworm
Thanks looks good and think we can release a DSA for it.
FTR, please wait next time for an ack first.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list