Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00aGc0LTltZjUtd3h4cc4AA1rF

incorrect order of evaluation of side effects for some builtins

Impact

The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order.
• For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b.
• For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

Patches

https://github.com/vyperlang/vyper/pull/3583

Workarounds

When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

References

Are there any links users can visit to find out more?

Permalink: https://github.com/advisories/GHSA-4hg4-9mf5-wxxq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aGc0LTltZjUtd3h4cc4AA1rF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 2 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Percentage: 0.0006
EPSS Percentile: 0.27227

Identifiers: GHSA-4hg4-9mf5-wxxq, CVE-2023-41052
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq
• https://github.com/vyperlang/vyper/pull/3583
• https://nvd.nist.gov/vuln/detail/CVE-2023-41052
• https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml
• https://github.com/advisories/GHSA-4hg4-9mf5-wxxq

Repository: https://github.com/vyperlang/vyper
Blast Radius: 12.6

Affected Packages