commit c68acc56282cfaa857f8142bcedb59c3d57128f3
author Jonathan Amsterdam <jba@google.com> Mon May 15 14:55:29 2023 -0400
committer Jonathan Amsterdam <jba@google.com> Wed May 24 15:32:51 2023 +0000
tree 299eb3ccc40581137435576992226bfc9c055209
parent 37153dbef6b2ac5686aed16836aa43eac32dab84

data/reports: add GO-2023-1765.yaml

Aliases: CVE-2023-1732, GHSA-2q89-485c-9j2x

There were two edits in the fix CL that are not reflected in the
report: the ones in packages kem/kyber/templates and
kem/sike/templates. These contain Go files with a "//+ build ignore"
tag. They are actually templates that are probably used
to generated the other .go files.

I tried to add a comment to that effect to the yaml file,
but vulnreport removed it.

Fixes golang/vulndb#1765

Change-Id: Ib48fae330230687178ea4b61e6202150e6f89d1b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494940
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

data/osv/GO-2023-1765.json

diff --git a/data/osv/GO-2023-1765.json b/data/osv/GO-2023-1765.json
new file mode 100644
index 0000000..25f0dcb
--- /dev/null
+++ b/data/osv/GO-2023-1765.json
@@ -0,0 +1,111 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1765",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-1732",
+    "GHSA-2q89-485c-9j2x"
+  ],
+  "details": "When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret.\n\nThe tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cloudflare/circl",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.3"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cloudflare/circl/abe/cpabe/tkn20/internal/tkn",
+            "symbols": [
+              "EncryptCCA"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/blindsign/blindrsa",
+            "symbols": [
+              "RSAVerifier.Blind"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/frodo/frodo640shake",
+            "symbols": [
+              "PublicKey.EncapsulateTo",
+              "scheme.Encapsulate",
+              "scheme.EncapsulateDeterministically"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/kyber/kyber1024",
+            "symbols": [
+              "PublicKey.EncapsulateTo",
+              "scheme.Encapsulate",
+              "scheme.EncapsulateDeterministically"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/kyber/kyber512",
+            "symbols": [
+              "PublicKey.EncapsulateTo",
+              "scheme.Encapsulate",
+              "scheme.EncapsulateDeterministically"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/kyber/kyber768",
+            "symbols": [
+              "PublicKey.EncapsulateTo",
+              "scheme.Encapsulate",
+              "scheme.EncapsulateDeterministically"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/sike/sikep434",
+            "symbols": [
+              "scheme.Encapsulate"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/sike/sikep503",
+            "symbols": [
+              "scheme.Encapsulate"
+            ]
+          },
+          {
+            "path": "github.com/cloudflare/circl/kem/sike/sikep751",
+            "symbols": [
+              "scheme.Encapsulate"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cloudflare/circl/commit/ff8d91225f8954b4970b6d6382d2e4c78f4a4cf8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1765"
+  }
+}
\ No newline at end of file

data/reports/GO-2023-1765.yaml

diff --git a/data/reports/GO-2023-1765.yaml b/data/reports/GO-2023-1765.yaml
new file mode 100644
index 0000000..efe75ac
--- /dev/null
+++ b/data/reports/GO-2023-1765.yaml
@@ -0,0 +1,66 @@
+modules:
+  - module: github.com/cloudflare/circl
+    versions:
+      - fixed: 1.3.3
+    vulnerable_at: 1.3.2
+    packages:
+      - package: github.com/cloudflare/circl/abe/cpabe/tkn20/internal/tkn
+        symbols:
+          - EncryptCCA
+      - package: github.com/cloudflare/circl/blindsign/blindrsa
+        symbols:
+          - RSAVerifier.Blind
+      - package: github.com/cloudflare/circl/kem/frodo/frodo640shake
+        symbols:
+          - PublicKey.EncapsulateTo
+        derived_symbols:
+          - scheme.Encapsulate
+          - scheme.EncapsulateDeterministically
+      - package: github.com/cloudflare/circl/kem/kyber/kyber1024
+        symbols:
+          - PublicKey.EncapsulateTo
+        derived_symbols:
+          - scheme.Encapsulate
+          - scheme.EncapsulateDeterministically
+      - package: github.com/cloudflare/circl/kem/kyber/kyber512
+        symbols:
+          - PublicKey.EncapsulateTo
+        derived_symbols:
+          - scheme.Encapsulate
+          - scheme.EncapsulateDeterministically
+      - package: github.com/cloudflare/circl/kem/kyber/kyber768
+        symbols:
+          - PublicKey.EncapsulateTo
+        derived_symbols:
+          - scheme.Encapsulate
+          - scheme.EncapsulateDeterministically
+      - package: github.com/cloudflare/circl/kem/sike/sikep434
+        symbols:
+          - scheme.Encapsulate
+      - package: github.com/cloudflare/circl/kem/sike/sikep503
+        symbols:
+          - scheme.Encapsulate
+      - package: github.com/cloudflare/circl/kem/sike/sikep751
+        symbols:
+          - scheme.Encapsulate
+summary: Kyber and FrodoKEM leak shared secret; blinding could be weak for tkn20 and
+    blindrsa.
+description: |
+    When sampling randomness for a shared secret, the implementation of Kyber
+    and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In
+    rare deployment cases (error thrown by the Read() function), this could lead
+    to a predictable shared secret.
+
+    The tkn20 and blindrsa components did not check whether enough randomness
+    was returned from the user provided randomness source. Typically the user
+    provides crypto/rand.Reader, which in the vast majority of cases will always
+    return the right number random bytes. In the cases where it does not, or the
+    user provides a source that does not, the blinding for blindrsa is weak and
+    integrity of the plaintext is not ensured in tkn20.
+cves:
+  - CVE-2023-1732
+ghsas:
+  - GHSA-2q89-485c-9j2x
+references:
+  - advisory: https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x
+  - fix: https://github.com/cloudflare/circl/commit/ff8d91225f8954b4970b6d6382d2e4c78f4a4cf8