GHSA-j2x6-9323-fp7h

Опубликовано: 22 апр. 2022

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Integer bounds error in Vyper

Impact

in the following code, the return of <iface>.returns_int128() is not validated to fall within the bounds of int128. as of v0.3.0, <iface>.returns_int128() is validated in simple expressions, but not complex expressions.

interface iface: def returns_int128() -> int128: view def returns_Bytes33() -> Bytes[33]: view x: iface @external def call_out(): x: int128 = self.x.returns_int128() # affected, <0.3.0 y: uint256 = convert(self.x.returns_int128(), uint256) # affected, <0.3.2 z: Bytes[33] = concat(self.x.returns_Bytes33(), b"") # affected >= 0.3.0, <0.3.2

Patches

0.3.2 (as of https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b)

Workarounds

Break up operations involving external calls into multiple statements. For instance, instead of the example above, use

x: int128 = self.x.returns_int128() y: uint256 = convert(x, uint256)

Ссылки

Пакеты

Наименование

vyper

pip

Затронутые версииВерсия исправления

< 0.3.2

0.3.2

EPSS

Процентиль: 60%

0.00397

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-24845

Дефекты

CWE-190

Связанные уязвимости

CVE-2022-24845

CVSS3: 8.8

nvd

почти 4 года назад

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. There is no known workaround for this issue.

EPSS

Процентиль: 60%

0.00397

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-24845

Дефекты

CWE-190