[Pkg-javascript-devel] Bug#1054667: node-browserify-sign: CVE-2023-46234
Moritz Mühlenhoff
jmm at inutil.org
Fri Oct 27 17:20:45 BST 2023
Source: node-browserify-sign
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for node-browserify-sign.
CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
https://www.cve.org/CVERecord?id=CVE-2023-46234
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list