GO-2023-1621

See a problem?

Source

https://pkg.go.dev/vuln/GO-2023-1621

Import Source

https://vuln.go.dev/ID/GO-2023-1621.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1621

Aliases

Published

2023-03-08T19:30:53Z

Modified

2024-09-11T06:12:34.357569Z

Summary

Incorrect calculation on P256 curves in crypto/internal/nistec

Details

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).

This does not impact usages of crypto/ecdsa or crypto/ecdh.

References

Credits

- Guido Vranken, via the Ethereum Foundation bug bounty program

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.7

Introduced

1.20.0-0

Fixed

1.20.2

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/internal/nistec",
            "symbols": [
                "P256OrdInverse",
                "P256Point.ScalarBaseMult",
                "P256Point.ScalarMult"
            ]
        }
    ]
}