CVE-2024-23342 Timing Attack

[yaronbenezra]

Hello,

SNYK and other scanning tools alerts on package vulnerability ( Timing Attack ) found at "sign_digest" API function.
( ecdsa.SigningKey.sign_digest() )

https://www.cve.org/CVERecord?id=CVE-2024-23342( HIGH Alert)

Can you address when you are going to fix this?

Regards,
Yaron

[maksimu]

We are also interesting is the ETA for the fix

[tomato42]

as stated in the vulnerability release GHSA-wj6h-64fc-37mp and as stated in the security policy timing attacks are outside the scope of the project.

If you need an implementation that is safe against side-channel attacks, I recommend using https://github.com/pyca/cryptography

It's a won't fix.

[dlpzx]

Hi @tomato42, can you give more details on what you mean by "timing attacks are outside the scope of the project."? Does it mean that ecdsa is not affected or just that resolving that vulnerability is responsibility of the users of ecdsa? Thanks

[tomato42]

@dlpzx I mean that Python doesn't provide the primitives that are side-channel free, so it's impossible to build a side-channel free implementation on top of them. To actually fix it, it would require implementing the whole operation in C, which is a non-goal for the library (as it won't be a pure-python any more)