CVE-2019-14853 – python-ecdsa: Unexpected and undocumented exceptions during signature decoding
https://notcve.org/view.php?id=CVE-2019-14853
An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. Se encontró un error de manejo de errores en python-ecdsa anterior de la versión 0.13.3. Durante la decodificación de firmas, las firmas DER mal formadas pueden generar excepciones inesperadas (o ninguna excepción), lo que podría conducir a una denegación de servicio. An error-handling flaw was found in python-ecdsa. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853 https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3 https://seclists.org/bugtraq/2019/Dec/33 https://www.debian.org/security/2019/dsa-4588 https://access.redhat.com/security/cve/CVE-2019-14853 https://bugzilla.redhat.com/show_bug.cgi?id=1758704 • CWE-391: Unchecked Error Condition CWE-755: Improper Handling of Exceptional Conditions •
CVE-2019-14859 – python-ecdsa: DER encoding is not being verified in signatures
https://notcve.org/view.php?id=CVE-2019-14859
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta comprobación, se podría aceptar una firma malformada, haciendo que la firma sea maleable. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859 https://github.com/warner/python-ecdsa/issues/114 https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3 https://pypi.org/project/ecdsa/0.13.3 https://access.redhat.com/security/cve/CVE-2019-14859 https://bugzilla.redhat.com/show_bug.cgi?id=1760843 • CWE-347: Improper Verification of Cryptographic Signature •