CVE-2023-46234

browserify-sign is a package to duplicate the functionality of nodes crypto public key functions, much of this is based on Fedor Indutnys work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/463.html
• https://cwe.mitre.org/data/definitions/475.html

References

• https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
• https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
• https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
• https://www.debian.org/security/2023/dsa-5539
• https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
• https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
• https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
• https://www.debian.org/security/2023/dsa-5539