{"url":"http://public2.vulnerablecode.io/api/packages/84416?format=json","purl":"pkg:pypi/postquantum-feldman-vss@0.7.7b0","type":"pypi","namespace":"","name":"postquantum-feldman-vss","version":"0.7.7b0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56819?format=json","vulnerability_id":"VCID-25wk-eyha-bkbe","summary":"PostQuantum-Feldman-VSS'S Dependency Vulnerability in gmpy2 Leading to Interpreter Crash\n**Description:**\n\nPostQuantum-Feldman-VSS, a Python library implementing Feldman's Verifiable Secret Sharing scheme with post-quantum security, was vulnerable to denial-of-service attacks in versions up to and including 0.7.6b0.  This vulnerability stems from the library's reliance on the `gmpy2` library for arbitrary-precision arithmetic.  `gmpy2`, in turn, depends on the GNU Multiple Precision Arithmetic Library (GMP). GMP, by design, terminates the process when it cannot allocate memory.  An attacker could exploit this by providing carefully crafted inputs that cause `gmpy2` to attempt to allocate extremely large amounts of memory, leading to a crash of the Python interpreter and thus a denial of service.\n\n**Vulnerability Details:**\n\nThe core issue lies in the behavior of GMP (and thus, `gmpy2`) when memory allocation fails.  Instead of raising a standard Python exception that could be caught and handled, GMP terminates the entire process. This behavior is documented in the GMP and gmpy2 documentation:","references":[{"reference_url":"https://github.com/DavidOsipov/PostQuantum-Feldman-VSS","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/DavidOsipov/PostQuantum-Feldman-VSS"},{"reference_url":"https://github.com/advisories/GHSA-v432-7f47-9g94","reference_id":"GHSA-v432-7f47-9g94","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v432-7f47-9g94"},{"reference_url":"https://github.com/DavidOsipov/PostQuantum-Feldman-VSS/security/advisories/GHSA-v432-7f47-9g94","reference_id":"GHSA-v432-7f47-9g94","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/DavidOsipov/PostQuantum-Feldman-VSS/security/advisories/GHSA-v432-7f47-9g94"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84416?format=json","purl":"pkg:pypi/postquantum-feldman-vss@0.7.7b0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/postquantum-feldman-vss@0.7.7b0"}],"aliases":["GHSA-v432-7f47-9g94"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25wk-eyha-bkbe"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/postquantum-feldman-vss@0.7.7b0"}