Bugzilla – Bug 1226468
VUL-0: CVE-2024-37305: oqs-provider: buffer overflow in deserialization of hybrid keys and signatures
Last modified: 2024-07-16 19:52:48 UTC
oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37305 https://www.cve.org/CVERecord?id=CVE-2024-37305 https://github.com/open-quantum-safe/oqs-provider/pull/416 https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx https://bugzilla.redhat.com/show_bug.cgi?id=2292772
Tracking as affected: - openSUSE:Backports:SLE-15-SP5/oqs-provider 0.3.0 - openSUSE:Factory/oqs-provider 0.6.0 - SUSE:ALP:Source:Standard:1.0/oqs-provider 0.5.0 - SUSE:SLE-15-SP6:Update/oqs-provider 0.5.0 - SUSE:SLFO:Main/oqs-provider 0.6.0
This is an autogenerated message for OBS integration: This bug (1226468) was mentioned in https://build.opensuse.org/request/show/1181501 Factory / oqs-provider