Comment by CiPHPerCoder
1 month ago
This also affected the PHP library, sodium_compat. https://github.com/FriendsOfPHP/security-advisories/pull/756
I'm planning to spend my evening checking every other Ed25519 implementation I can find to see if this check is missing any where else in the open source ecosystem.
I found several libraries that simply didn't implement the check, but none that implemented in incorrectly in the same way as the vulnerability discussed above.
If you didn't receive an email from me, either your implementation isn't listed on https://ianix.com/pub/ed25519-deployment.html, I somehow missed it, or you're safe.
Thank you for your work on free software.
My company just released a JWT library for java that supports Ed25519[0]. Any idea how I can submit that to the ianix list?
0: https://github.com/FusionAuth/fusionauth-jwt
[dead]
> Did you also check all of the libraries that implement the check differently to libsodium?
Yes, but it was a breadth-first search sourced from the ianix webpage, so I certainly missed some details somewhere. I'll continue to search over the coming weeks in my spare time (if I can get any).
Thank you for your work on open source.