An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust. generichash::Digest::eq compares itself to itself and thus has degenerate security properties.
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-25002
- https://github.com/sodiumoxide/sodiumoxide/pull/381
- https://github.com/sodiumoxide/sodiumoxide/pull/381/commits/fae052b834b097ced9a89a8fff8466e18f383070
- https://rustsec.org/advisories/RUSTSEC-2019-0026.html
- https://github.com/sodiumoxide/sodiumoxide/commit/38490723927f230498adf795153e6cd3cb08b6a8
- https://github.com/advisories/GHSA-wrvc-72w7-xpmj