Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: deprecation of github.com/kudelskisecurity/crystals-go/ following division timing attack #2469

Closed
1 task done
AnomalRoil opened this issue Jan 15, 2024 · 3 comments

Comments

@AnomalRoil
Copy link

Acknowledgement

  • The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

The KyberSlash 1 & 2 vulnerabilities could be found in this repo, see https://kyberslash.cr.yp.to/ and led to the repo being officially archived since it is not maintained anymore.

KyberSlash1 was fixed, but KyberSlash2 wasn't before archival.
Users should use instead https://pkg.go.dev/filippo.io/mlkem768 for key encapsulation / encryption / decryption using Kyber.

Affected Modules, Packages, Versions and Symbols

Module: github.com/kudelskisecurity/crystals-go/
Package: github.com/kudelskisecurity/crystals-go/kyber

Versions:
  - v0
Fixed:
  - Not fixed
Symbols:
  - *Kyber.Encaps
  - *Kyber.Encrypt
  - *Kyber.Decaps

Module: github.com/kudelskisecurity/crystals-go/
Package: github.com/kudelskisecurity/crystals-go/kyber

Versions:
  - v0
Fixed: 
  - v0.0.0-20240110155413-56534a791e8e 
Symbols:
  - *Kyber.Decrypt

CVE/GHSA ID

No response

Fix Commit or Pull Request

kudelskisecurity/crystals-go#20

References

Additional information

No response

@maceonthompson
Copy link

Thanks for the report! This will be designated GO-2024-2469.
Clarifying question before I create the report- is kudelskisecurity/crystals-go#21 related to this change? If so, does this mean that the Encaps, Encrypt, and Decaps symbols are now fixed at the latest version? (or will they be permanently vulnerable)

@tgkudelski
Copy link

Yes, the code now also contains fixes for KyberSlash2 (they have been added yesterday). Please notice that we (Kudelski Security) do not have plans to continue maintaining this library, that's why we deprecated and archived it. Feel free to fork it!

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/556375 mentions this issue: data/reports: add GO-2024-2469.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants