Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNHY4LWpnY3YtOWc3Nc4AA4Lu
safe_pqc_kyber leaks parts of secret keys
Impact
On some platforms, when an attacker can time decapsulation, and in particular when the attacker can forge cipher texts, they can learn (parts of) the secret key.
Does not apply to ephemeral usage, such as when used in the regular way in TLS.
Patches
Patched in 0.6.2.
References
Permalink: https://github.com/advisories/GHSA-p4v8-jgcv-9g75JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNHY4LWpnY3YtOWc3Nc4AA4Lu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-p4v8-jgcv-9g75
References:
- https://github.com/bwesterb/argyle-kyber/security/advisories/GHSA-p4v8-jgcv-9g75
- https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6
- https://kyberslash.cr.yp.to/
- https://github.com/advisories/GHSA-p4v8-jgcv-9g75
Blast Radius: 0.0
Affected Packages
cargo:safe_pqc_kyber
Dependent packages: 3Dependent repositories: 1
Downloads: 4,620 total
Affected Version Ranges: < 0.6.2
Fixed in: 0.6.2
All affected versions: 0.6.1
All unaffected versions: 0.6.2, 0.6.3