GHSA-7vrm-3jc8-5wwm

Source

https://github.com/advisories/GHSA-7vrm-3jc8-5wwm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-7vrm-3jc8-5wwm/GHSA-7vrm-3jc8-5wwm.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-7vrm-3jc8-5wwm

Aliases

Related

CVE-2022-24787

Published

2022-04-04T21:40:45Z

Modified

2024-12-05T05:39:26.407553Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Incorrect Comparison in Vyper

Details

Impact

bytestrings can have dirty bytes in them, resulting in the word-for-word comparison to give incorrect results, e.g.

b1: Bytes[32] = b"abcdef"
b1 = slice(b1, 0, 1)
b2: Bytes[32] = b"abcdef"
t: bool = b1 == b2  # incorrectly evaluates to True

even without dirty nonzero bytes, because there is no comparison of the length, two bytestrings can compare to equal if one ends with "\x00".

b1: Bytes[32] = b"abc\0"
b2: Bytes[32] = b"abc"
t: bool = b1 == b2  # incorrectly evaluates to True

Patches

fixed in https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-697"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-04T21:40:45Z"
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.2

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1