Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix em_app vulnerability #554

Merged
merged 2 commits into from
Jan 16, 2024
Merged

Conversation

raoulstrackx
Copy link
Contributor

There is a (minor) security issue in em-app. The encrypt_buffer and decrypt_buffer functions use the rustc_serialize::from_hex() function on a cryptographic key, but from_hex has secret dependent control flow.
This PR removes those functions and bumps the version of em-app

Fixes #553

The `encrypt_buffer` and `decrypt_buffer` functions use the `rustc_serialize::from_hex` function, but it is not constant time and leads to secret dependent control flow. These functions shouldn't have been in the API in the first place, and are removed.
@raoulstrackx raoulstrackx force-pushed the raoul/gh-553-fix_em_app_vulnerability branch from 1306317 to 7c46bec Compare January 16, 2024 14:48
Copy link
Collaborator

@zugzwang zugzwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for spotting this and for the PR.

@raoulstrackx raoulstrackx added this pull request to the merge queue Jan 16, 2024
Merged via the queue into master with commit 8b187bd Jan 16, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fix em-app vulnerability
3 participants