Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Buffer overflow in deserialization in oqs-provider
Vulnerability Description
oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Vulnerability Type
未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)
Vulnerability Title
oqsprovider 安全漏洞
Vulnerability Description
oqsprovider是Open Quantum Safe个人开发者的一个库。 oqsprovider 0.6.0及之前版本存在安全漏洞,该漏洞源于oqs-provider 在处理序列化混合密钥和签名开头解码的长度时存在缺陷,格式错误的输入可能导致崩溃或信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A