PT-2019-4889 · Python+3 · Python-Ecdsa+3

Pedro Sampaio

·

Published

2019-10-07

·

Updated

2024-06-15

·

CVE-2019-14853

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions python-ecdsa versions 0.5 through 0.13.2
Description A flaw in the error-handling mechanism of python-ecdsa could lead to a denial of service when decoding malformed DER signatures. This issue may cause unexpected exceptions or no exceptions at all, potentially resulting in program termination. The vulnerability also allows for signature malleability, which could impact applications that sign or verify signatures of signatures, such as Bitcoin.
Recommendations For python-ecdsa versions 0.5 through 0.13.2, update to version 0.13.3 to resolve the issue. As a temporary workaround, consider catching additional exceptions such as UnexpectedDER, IndexError, and AssertionError when using VerifyingKey.verify() and VerifyingKey.verify digest() to prevent denial of service. To remediate signature malleability, verify that the signature is properly DER formatted ECDSA-Sig-Value before passing it to verify() or verify digest() methods.

Fix

DoS

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-755CWE-391

Related Identifiers

ALT-PU-2020-3226
BDU:2020-01480
CVE-2019-14853
DLA-1978-1
DSA-4588-1
GHSA-2MRJ-435V-C2CR
GHSA-PWFW-MGFJ-7G3G
MGASA-2020-0002
OPENSUSE-SU-2019:2472-1
OPENSUSE-SU-2019:2474-1
OPENSUSE-SU-2019_2472-1
OPENSUSE-SU-2019_2474-1
OPENSUSE-SU-2024:11229-1
OPENSUSE-SU-2024:13862-1
PYSEC-2019-177
RHSA-2021:4702
SUSE-SU-2019:2891-1
SUSE-SU-2019:2891-2
SUSE-SU-2019:3024-1
USN-4196-1

Affected Products

Alt Linux
Suse
Ubuntu
Python-Ecdsa