GHSA-6r8q-pfpv-7cgj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6r8q-pfpv-7cgj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-6r8q-pfpv-7cgj/GHSA-6r8q-pfpv-7cgj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6r8q-pfpv-7cgj
- Aliases
- Published
- 2023-05-12T20:21:35Z
- Modified
- 2024-11-19T16:46:47.757796Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Vyper vulnerable to integer overflow in loop
- Details
-
Impact
Due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter.
In the following example, calling
testreturns354, meaning that the variableadid store354a value out of bound for the typeuint8.@external def test() -> uint16: x:uint8 = 255 a:uint8 = 0 for i in range(x, x+100): a = i return convert(a,uint16)The issue seems to happen only in loops of type
for i in range(a, a + N)as in loops of typefor i in range(start, stop)andfor i in range(stop), the compiler is able to raise aTypeMismatchwhen trying to overflow the variable.thanks to @trocher for reporting
Patches
patched in 3de1415ee77a9244eb04bdb695e249d3ec9ed868
Workarounds
- Database specific
{ "nvd_published_at": "2023-05-11T21:15:10Z", "cwe_ids": [ "CWE-190" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-05-12T20:21:35Z" }- References
-
- https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj
- https://nvd.nist.gov/vuln/detail/CVE-2023-32058
- https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868
- https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml
- https://github.com/vyperlang/vyper
Affected packages
PyPI / vyper
Package
- Name
- vyper
- View open source insights on deps.dev
- Purl
- pkg:pypi/vyper
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.3.8
Affected versions
0.*
0.1.0b1
0.1.0b2
0.1.0b3
0.1.0b4
0.1.0b5
0.1.0b6
0.1.0b7
0.1.0b8
0.1.0b9
0.1.0b10
0.1.0b11
0.1.0b12
0.1.0b13
0.1.0b14
0.1.0b15
0.1.0b16
0.1.0b17
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7