GHSA-7vrm-3jc8-5wwm – vyper

Package

Manager: pip
Name: vyper
Vulnerable Version: >=0 <0.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Incorrect Comparison in Vyper ### Impact bytestrings can have dirty bytes in them, resulting in the word-for-word comparison to give incorrect results, e.g. ```vyper b1: Bytes[32] = b"abcdef" b1 = slice(b1, 0, 1) b2: Bytes[32] = b"abcdef" t: bool = b1 == b2 # incorrectly evaluates to True ``` even without dirty nonzero bytes, because there is no comparison of the length, two bytestrings can compare to equal if one ends with `"\x00"`. ```vyper b1: Bytes[32] = b"abc\0" b2: Bytes[32] = b"abc" t: bool = b1 == b2 # incorrectly evaluates to True ``` ### Patches fixed in https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508

Metadata

Created: 2022-04-04T21:40:45Z
Modified: 2022-04-06T17:39:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-7vrm-3jc8-5wwm/GHSA-7vrm-3jc8-5wwm.json
CWE IDs: ["CWE-697"]
Alternative ID: N/A
Finding: F184
Auto approve: 1