Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNTdyLTRxdzYtNThyM84AA2-Z
rusty_paseto vulnerable to private key extraction due to ed25519-dalek dependency
Impact
The vulnerability, known as RUSTSEC-2022-0093, impacts the ed25519-dalek crate, which is a dependency of the rusty-paseto crate. This issue arises from a "Double Public Key Signing Function Oracle Attack" affecting versions of ed25519-dalek prior to v2.0. These versions expose an unsafe API for serializing and deserializing 64-byte keypairs that include both private and public keys, creating potential for certain attacks. d25519-dalek users utilizing these serialization and deserialization functions directly could potentially be impacted.
Patches
The vulnerability within the ed25519-dalek crate has been addressed in version 2.0. rusty-paseto has addressed it in release v0.6.0.
Workarounds
Users are recommended to upgrade to v0.6.0 of rusty-paseto. However, users should still ensure that their key serialization and deserialization practices are secure and avoid any practices that could lead to key exposure.
References
More information about RUSTSEC-2022-0093 can be found in the RustSec Advisory Database. Updates and details regarding the upcoming release of rusty-paseto will be documented in the project's releases and changelog. This issue was first reported by Dependabot on 2023-08-15. The source was reviewed by @rrrodzilla at that time and a determination was made that the vulnerability low harm to existing users due to the strongly typed nature of keys provided by the rusty-paseto API. @techport-om reported the vulnerability to the repository by discovering during a cargo-audit run on 2023-11-05 and opened issue 28. This advisory was created at that time to notify existing users.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNTdyLTRxdzYtNThyM84AA2-Z
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-j57r-4qw6-58r3
References:
- https://github.com/rrrodzilla/rusty_paseto/security/advisories/GHSA-j57r-4qw6-58r3
- https://github.com/rrrodzilla/rusty_paseto/commit/42718c1b757c1dfabb80621f2f48b8268f7fa24e
- https://github.com/rrrodzilla/rusty_paseto/releases/tag/v0.6.0
- https://rustsec.org/advisories/RUSTSEC-2022-0093.html
- https://github.com/advisories/GHSA-j57r-4qw6-58r3
Blast Radius: 1.0
Affected Packages
cargo:rusty-paseto
Affected Version Ranges: <= 0.5.0Fixed in: 0.6.0