Page MenuHome GnuPG
Create Task
Maniphest T8208

Missing bounds check in libgcrypt's Dilithium context handling
Closed, ResolvedPublic
Actions

Description

The low-level Dilithium code as used by Libgcrypt uses a static array PRE but fills it from the CTX arg w/o a check. This bug needs to be fixed but real-world severity is low because the context is a protocol or implementation defined constant and thus not derived from attacker controlled data..

Reported-by: Calif.io in collaboration with Claude and Anthropic Research.

Revisions and Commits

rC libgcrypt
rC905e00f046a7 cipher:dilithium: Check the label length by caller.

Related Objects

Event Timeline

werner triaged this task as High priority.Mon, Apr 6, 5:09 PM
werner created this task.
werner created this object with edit policy "Contributor (Project)".
werner added a project: Security.Mon, Apr 6, 5:13 PM
pl13 added a subscriber: pl13.Wed, Apr 8, 9:04 AM
gniibe claimed this task.Thu, Apr 9, 8:48 AM
gniibe added a subscriber: gniibe.

Minimum fix is:

0001-cipher-dilithium-Check-the-label-length-by-caller.patch1 KBDownload

gniibe added a comment.EditedFri, Apr 10, 11:07 AM

The minimum fix avoids changes needed, thus, a bit confusing as a whole.
Here are better changes:

0001-cipher-dilithium-Fix-the-glue-of-libgcrypt.patch1 KBDownload

0002-cipher-dilithium-Check-the-label-length-by-caller.patch11 KBDownload

gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Apr 13, 6:35 AM
gniibe added a commit: rC905e00f046a7: cipher:dilithium: Check the label length by caller..Tue, Apr 14, 5:03 AM
gniibe changed the task status from Open to Testing.Wed, Apr 15, 7:32 AM
werner mentioned this in T8114: Release Libgcrypt 1.12.2.Wed, Apr 15, 11:16 AM
werner closed this task as Resolved.Wed, Apr 15, 11:18 AM
gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Apr 20, 9:40 AM
werner added a comment.Wed, Apr 22, 10:23 AM

FWIW: There is actually a problem in the reference code: Having a
fixed size buffer inside a function and allowing the caller to provide
content at arbitrary length is bad coding style because the caller
needs to know internals of the called function (in a different source
file).

This should be reported to the reference code maintainers.