Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency keypair to 1.0.4 [SECURITY] - abandoned #228

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency keypair to 1.0.4 [SECURITY] - abandoned #228

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 18, 2021
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
keypair 1.0.1 -> 1.0.4

GitHub Vulnerability Alerts

CVE-2021-41117

Description and Impact

A bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.

Fix

  • The bug in the pseudo-random number generator is fixed in commit 9596418.
  • If the crypto module is available, it is used instead of the pseudo-random number generator. Also fixed in 9596418

Additional Details

The specific line with the flaw is:

b.putByte(String.fromCharCode(next & 0xFF))

The definition of putByte is

util.ByteBuffer.prototype.putByte = function(b) {
  this.data += String.fromCharCode(b);
};

Simplified, this is String.fromCharCode(String.fromCharCode(next & 0xFF)). This results in most of the buffer containing zeros. An example generated buffer:

(Note: truncated for brevity)

\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x04\x00\x00\x00....\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

Since it is masking with 0xFF, approximately 97% of the bytes are converted to zeros. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion.

Credit

This issue was reported to GitHub Security Lab by Ross Wheeler of Axosoft. It was discovered by Axosoft engineer Dan Suceava, who noticed that keypair was regularly generating duplicate RSA keys. GitHub security engineer @​vcsjones (Kevin Jones) independently investigated the problem and identified the cause and source code location of the bug.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update dependency keypair to 1.0.4 [SECURITY] Update dependency keypair to 1.0.4 [SECURITY] - abandoned Mar 24, 2023
@renovate
Copy link
Author

renovate bot commented Mar 24, 2023

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot