You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Triggering this bug in the affected versions requires a Windows environment that either 1) lacks SSE4.1 support (i.e. an x86 CPU older than 2007), or 2) sets default_features = false. Some callers (e.g. multihash) do set default_features = false in their dependencies, so option 2 is probably more likely than option 1. When the bug is triggered, it corrupts an SSE register, and the effect of that depends on the caller. I'm not aware of any cases in the wild where it had any observable effect. When I've been able to see an effect in testing, it's a corrupt/incorrect hash value, which is arguably a security issue even if there's no path to general memory corruption.
The text was updated successfully, but these errors were encountered:
This was fixed in v1.2.0 (Nov 5, 2021). See BLAKE3-team/BLAKE3#206 and https://github.com/BLAKE3-team/BLAKE3/releases/tag/1.2.0.
Triggering this bug in the affected versions requires a Windows environment that either 1) lacks SSE4.1 support (i.e. an x86 CPU older than 2007), or 2) sets
default_features = false
. Some callers (e.g.multihash
) do setdefault_features = false
in their dependencies, so option 2 is probably more likely than option 1. When the bug is triggered, it corrupts an SSE register, and the effect of that depends on the caller. I'm not aware of any cases in the wild where it had any observable effect. When I've been able to see an effect in testing, it's a corrupt/incorrect hash value, which is arguably a security issue even if there's no path to general memory corruption.The text was updated successfully, but these errors were encountered: