Headline
CVE-2023-44273: Fix/malleability sig by ThomasPiellard · Pull Request #449 · Consensys/gnark-crypto
Consensys gnark-crypto through 0.11.2 allows Signature Malleability. This occurs because deserialisation of EdDSA and ECDSA signatures does not ensure that the data is in a certain interval.
I made some updates - particularly checking against 0 values as this leads to div by zero elsewhere.
Tests work, but would be nice to have a confirmation.
And I checked that negative values are not issues as incoming bytes are represented as unsigned ints.
Related news
GHSA-9xfq-8j3r-xp5g: Consensys gnark-crypto allows Signature Malleability
Consensys gnark-crypto through 0.11.2 allows Signature Malleability. This occurs because deserialisation of EdDSA and ECDSA signatures does not ensure that the data is in a certain interval.