blob: 7e584a3cf0da848ad0c80f5fd6ad9049911f95d2 [file] [log] [blame]
id: GO-2023-1765
modules:
- module: github.com/cloudflare/circl
versions:
- fixed: 1.3.3
vulnerable_at: 1.3.2
packages:
- package: github.com/cloudflare/circl/abe/cpabe/tkn20/internal/tkn
symbols:
- EncryptCCA
- package: github.com/cloudflare/circl/blindsign/blindrsa
symbols:
- RSAVerifier.Blind
- package: github.com/cloudflare/circl/kem/frodo/frodo640shake
symbols:
- PublicKey.EncapsulateTo
derived_symbols:
- scheme.Encapsulate
- scheme.EncapsulateDeterministically
- package: github.com/cloudflare/circl/kem/kyber/kyber1024
symbols:
- PublicKey.EncapsulateTo
derived_symbols:
- scheme.Encapsulate
- scheme.EncapsulateDeterministically
- package: github.com/cloudflare/circl/kem/kyber/kyber512
symbols:
- PublicKey.EncapsulateTo
derived_symbols:
- scheme.Encapsulate
- scheme.EncapsulateDeterministically
- package: github.com/cloudflare/circl/kem/kyber/kyber768
symbols:
- PublicKey.EncapsulateTo
derived_symbols:
- scheme.Encapsulate
- scheme.EncapsulateDeterministically
- package: github.com/cloudflare/circl/kem/sike/sikep434
symbols:
- scheme.Encapsulate
- package: github.com/cloudflare/circl/kem/sike/sikep503
symbols:
- scheme.Encapsulate
- package: github.com/cloudflare/circl/kem/sike/sikep751
symbols:
- scheme.Encapsulate
summary: Leaked shared secret and weak blinding in github.com/cloudflare/circl
description: |-
When sampling randomness for a shared secret, the implementation of Kyber and
FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare
deployment cases (error thrown by the Read() function), this could lead to a
predictable shared secret.
The tkn20 and blindrsa components did not check whether enough randomness was
returned from the user provided randomness source. Typically the user provides
crypto/rand.Reader, which in the vast majority of cases will always return the
right number random bytes. In the cases where it does not, or the user provides
a source that does not, the blinding for blindrsa is weak and integrity of the
plaintext is not ensured in tkn20.
cves:
- CVE-2023-1732
ghsas:
- GHSA-2q89-485c-9j2x
references:
- advisory: https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x
- fix: https://github.com/cloudflare/circl/commit/ff8d91225f8954b4970b6d6382d2e4c78f4a4cf8
review_status: REVIEWED