From: carnil@debian.org
Source: golang-filippo-edwards25519
Version: 1.0.0~rc1+git20210721-0.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team
Hi,
The following vulnerability was published for golang-filippo-edwards25519.
CVE-2026-26958[0]:
| filippo.io/edwards25519 is a Go library implementing the
| edwards25519 elliptic curve with APIs for building cryptographic
| primitives. In versions 1.1.0 and earlier, MultiScalarMult produces
| invalid results or undefined behavior if the receiver is not the
| identity point. If (*Point).MultiScalarMult is called on an
| initialized point that is not the identity point, it returns an
| incorrect result. If the method is called on an uninitialized point,
| the behavior is undefined. In particular, if the receiver is the
| zero value, MultiScalarMult returns an invalid point that compares
| Equal to every other point. Note that MultiScalarMult is a rarely
| used, advanced API. For example, users who depend on
| filippo.io/edwards25519 only through github.com/go-sql-driver/mysql
| are not affected. This issue has been fixed in version 1.1.1.
As described from upstream, MultiScalarMult is a rearely used,
advanced API. But I noticed that we have the same version across
bookworm up to unstable, it might be a good idea to rebase unstable's
version for aim to include in forky to a recent version.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26958
https://www.cve.org/CVERecord?id=CVE-2026-26958
[1] https://github.com/FiloSottile/edwards25519/security/advisor
es/GHSA-fw7p-63qq-7hpr
[2] https://github.com/FiloSottile/edwards25519/commit/d1c650afb
5fad0742b98d95f2eb2cf031393abb
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
