Vulnerability Report: GO-2023-2003

GHSA-8c37-7qx3-4c4p
Affects: github.com/supranational/blst
Published: Aug 10, 2023
Modified: May 20, 2024

When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.

Affected Packages

Path

Go Versions

Symbols
github.com/supranational/blst/bindings/go

from v0.3.0 before v0.3.11

all symbols

Aliases

GHSA-8c37-7qx3-4c4p

References

https://github.com/supranational/blst/commit/fb91221c91c82f65bfc7f243256308977a06d48b
https://github.com/supranational/blst/releases/tag/v0.3.11
https://vuln.go.dev/ID/GO-2023-2003.json

Credits

Yunjong Jeong (@blukat29)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL