Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jamcyLTJmamctZnBoNM0jVQ
Integer underflow in Frontier
Impact
A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible.
If you do not use MODEXP precompile in your runtime, then you are not impacted.
Patches
Patches are applied in PR #549.
Workarounds
None.
References
Patch PR: #549
Credits
Thanks to SR-Labs for discovering the security vulnerability, and thanks to PureStake team for the patches.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Frontier repo
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jamcyLTJmamctZnBoNM0jVQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-cjg2-2fjg-fph4, CVE-2022-21685
References:
- https://github.com/paritytech/frontier/security/advisories/GHSA-cjg2-2fjg-fph4
- https://nvd.nist.gov/vuln/detail/CVE-2022-21685
- https://github.com/paritytech/frontier/pull/549
- https://github.com/paritytech/frontier/commit/8a93fdc6c9f4eb1d2f2a11b7ff1d12d70bf5a664
- https://github.com/advisories/GHSA-cjg2-2fjg-fph4
Blast Radius: 1.0
Affected Packages
cargo:frontier
Dependent packages: 0Dependent repositories: 0
Downloads: 1,435 total
Affected Version Ranges: <= 0.1.0
No known fixed version
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.1.0