| 标题 | PuTTY Project (Simon Tatham) PuTTY 0.83 Improper Verification of Cryptographic Signature |
|---|
| 描述 | PuTTY's Ed25519 verification logic in crypto/ecc-ssh.c (eddsa_verify) does not enforce strict canonical-scalar validation (S < L). Because of this, a valid signature (R, S) can be malleated into (R, S+L) and still pass verification.
Using the provided PoC with PuTTY testcrypt (ssh_key_verify), both signatures verify successfully:
putty verify(orig) = True
putty verify(S+L) = True
This demonstrates Ed25519 signature malleability acceptance (non-canonical signature accepted). Historically, similar signature malleability vulnerabilities have been discovered and assigned CVEs in other projects, including CVE-2026-3706, CVE-2020-36843, and CVE-2024-45193. |
|---|
| 来源 | ⚠️ https://github.com/py-thok/putty-ed25519-malleability-s-plus-l |
|---|
| 用户 | pythok (UID 95793) |
|---|
| 提交 | 2026-03-09 07時40分 (2 月前) |
|---|
| 管理 | 2026-03-22 12時48分 (13 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 352429 [PuTTY 0.83 Ed25519 Signature crypto/ecc-ssh.c eddsa_verify 弱身份验证] |
|---|
| 积分 | 20 |
|---|