Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 24 Apr 2024 17:17:47 -0400
From: Paragon Initiative Enterprises Security Team <>
Subject: Security Issues and Abandonment of PHP ECC library (mdanter/ecc, phpecc/phpecc)

Good afternoon, OSS-Security Mailing List readers.

We are troubled to report that the PHP elliptic curve cryptography library
known by the packagist name "mdanter/ecc" and the GitHub URL has not responded to our attempts to fix
security issues from the year 2021.

These pull requests fix a particular problem with generating an ECDSA
signature: Calculating the modular inverse of your one-time secret, k, in

*Put A Fork In It*

After reviewing the situation and failing to get in contact with the
maintainers (their websites are offline and emails are bouncing), we opted
to fork this library.

Our fork can be found at this URL:

Additionally, several more issues have been discovered as we review this

1. *Signature malleability* (i.e., (R,S) and (R,n-S) are both accepted).
This is particularly troubling since many of the projects that depend on
mdanter/ecc <> ( link) are
cryptocurrency-adjacent. We fixed this in v2.0.0 of our fork
2. *ECDH Timing Leaks*. The way ECDH works is that it grabs the math
adapter from the public point and uses that to compute a shared secret with
the secret scalar. Despite the pains taken to implement a Montgomery Ladder
for scalar*point multiplication, the underlying algorithms' use of GMP were
timing-leaky. We fixed this in v2.0.0 of our fork
3. *Branch-based Timing Leaks in Point Addition*. Point addition contains
slow code that runs if a condition is true, and fast code that runs if the
condition is false. This exposes a branch-based timing leak that doesn't
require advanced techniques (e.g., manipulating the CPU's branch predictor)
to trigger. We fixed this in v2.0.1 of our fork

The incumbent library has nearly 5 million installs according to Packagist
statistics <>. This
includes historical installs that were replaced with newer versions, so the
actual installed base is smaller, but probably only by 1 or 2 orders of

*Actions Taken to Proactively Mitigate Risk*

After we announced our fork, and the motivation for it, the Packagist
maintainers have marked the mdanter/ecc package as abandoned
<> and
recommended our fork.

Projects using the Roave/SecurityAdvisories
<> package to block vulnerable
dependencies from being installed will begin receiving a version conflict
with any version of mdanter/ecc as of 2 hours ago (from when we write this

We opened GitHub issues with several dozen dependent projects to ensure
community awareness of this issue. For example:

Unfortunately, many of the dependents listed on Packagist are forks of
other dependents, and some had no means to contact them. To that end, we're
relying on public communication channels, such as this mailing list and
to get the word out.


We have requested a CVE identifier from MITRE for the ECDSA weaknesses we
reported and provided a patch for in 2021, but a CVE ID has not been
assigned as of this writing.

Our work is far from over. We expect to find and fix more bugs in the
coming weeks. However, migrating off the abandoned package is a necessary
first step to stop the bleeding.

If you have a package that currently depends on mdanter/ecc, we provided a
simple migration guide in our v2.0.0 release notes:

We would also like to thank the following people for helping move this
issue towards resolution in the absence of the original package's
maintainers: Nils Alderman, Frederik Bosch, and Marco Pivetta.

Happy hacking,

Security Team
Paragon Initiative Enterprises <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.