Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4hg4-9mf5-wxxq: incorrect order of evaluation of side effects for some builtins

Impact

The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order. • For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b. • For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

Patches

https://github.com/vyperlang/vyper/pull/3583

Workarounds

When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

References

Are there any links users can visit to find out more?

ghsa
Open in Source
#git#perl

Impact

The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order.
• For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b.
• For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

Patches

vyperlang/vyper#3583

Workarounds

When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

References

Are there any links users can visit to find out more?

References

  • GHSA-4hg4-9mf5-wxxq
  • vyperlang/vyper#3583

Related news

CVE-2023-41052: fix: order of evaluation for some builtins by charles-cooper · Pull Request #3583 · vyperlang/vyper

Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

ghsa: Latest News

GHSA-hjq4-87xh-g4fv: vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
ghsa