ghsa-4hg4-9mf5-wxxq
Vulnerability from github
Published
2023-09-04 16:39
Modified
2023-09-08 21:05
Severity ?
Summary
incorrect order of evaluation of side effects for some builtins
Details
Impact
The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order.
• For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b.
• For ecadd(a,b) and ecmul(a,b), the order is b,a.
Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.
Patches
https://github.com/vyperlang/vyper/pull/3583
Workarounds
When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
References
Are there any links users can visit to find out more?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.9"
},
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41052"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-04T16:39:49Z",
"nvd_published_at": "2023-09-04T18:15:08Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order.\n\u2022 For `uint256_addmod(a,b,c)` and `uint256_mulmod(a,b,c)`, the order is `c,a,b`.\n\u2022 For `ecadd(a,b)` and `ecmul(a,b)`, the order is `b,a`.\n\nNote that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. \n\n### Patches\nhttps://github.com/vyperlang/vyper/pull/3583\n\n### Workarounds\nWhen using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\n\n### References\n_Are there any links users can visit to find out more?_\n",
"id": "GHSA-4hg4-9mf5-wxxq",
"modified": "2023-09-08T21:05:27Z",
"published": "2023-09-04T16:39:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41052"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/pull/3583"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "incorrect order of evaluation of side effects for some builtins"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.