Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1oaGM0LTQ3cmgtY3IzNM4AAvin

Incorrect is_static parameter for custom stateful precompiles in SputnikVM (evm)

Impact

A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Previously, the passed is_static parameter was incorrect -- it was only set to true if the call comes from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static.

The issue only impacts custom precompiles that actually uses is_static. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions.

Patches

PR: https://github.com/rust-blockchain/evm/pull/133
Released in v0.36.0.

Older patch versions can be released on request if anyone needs them. Simply contact @sorpaas by email to request it.

For more information

If you have any questions or comments about this advisory:

• Open an issue in evm repo
• Email Wei at [email protected]

Permalink: https://github.com/advisories/GHSA-hhc4-47rh-cr34
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oaGM0LTQ3cmgtY3IzNM4AAvin
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-hhc4-47rh-cr34, CVE-2022-39354
References:

• https://github.com/rust-blockchain/evm/security/advisories/GHSA-hhc4-47rh-cr34
• https://nvd.nist.gov/vuln/detail/CVE-2022-39354
• https://github.com/rust-blockchain/evm/pull/133
• https://rustsec.org/advisories/RUSTSEC-2022-0083.html
• https://github.com/advisories/GHSA-hhc4-47rh-cr34

Repository: https://github.com/rust-blockchain/evm
Blast Radius: 14.1

Affected Packages