python-ecdsa vulnerabilty CVE-2024-23342

[DrymarchonShaun]

The tlsfuzzer/python-ecdsa library this project uses has a reported vulnerability (CVE-2024-23342), which causes this project to no longer build on NixOS (see romanz/trezor-agent#505 for report of this same issue).

I realize the nix package isn't official, but I assume it's only a matter of time before other projects also block the python-ecdsa library as well.

Additionally, the python-ecdsa maintainer has stated that the project shouldn't be used in production in tlsfuzzer/python-ecdsa#330 (comment)

I don't want people to use this library in production environments...

It's a teaching tool, it's a testing tool, it's absolutely not an production grade implementation.

tlsfuzzer/python-ecdsa#330 also links to a bunch more issues in other projects as well.

[onlykey]

We will get this updated, keep in mind that with OnlyKey the private keys are stored on the device, not on the computer. So the issue of leaking private keys doesn't apply here.

[adrian-gierakowski]

according to this github search this seems to be the only place where ecdsa package is used:

https://github.com/trustcrypto/onlykey-solo-python/blob/33bd60c33a0d1bd2da4494af300d6eb2a7e6a8f8/solo/operations.py#L18

btw. for reference, here's resolution of this issue in trezor-firmware: https://github.com/trezor/trezor-firmware/pull/6070/files

[adrian-gierakowski]

please note onlykey-agent depends on libagent (maintained trezor), which also needs the fix: trezor/trezor-firmware#6070 (comment)