20treeai / martin Goto Github PK

Marvin Attack: potential key recovery through timing sidechannels

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

See advisory page for additional details.

Hi, i noticed you have some CORs related changes, could you start a PR and/or an issue about this? I suspect it might impact more users, would be good to solve it upstream

HI, i noticed you have some CORS configuration changes in maplibre/martin@main...20treeAI:martin:main

Should these be pushed upstream? I'm not certain why you had to add those

libsqlite3-sys via C SQLite CVE-2022-35737

It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf function.

As libsqlite3-sys bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys was updated to bundle the patched version of SQLite here.

See advisory page for additional details.

In latest action looks like were pushing to ghcr.io/maplibre/martin:main

Cannot see we ever pushed to our own there but might be as easy as changing https://github.com/20treeAI/martin/actions/runs/5000718020/workflow#L39
to eu.gcr.io/tree-266510/martin ?