GHSA-753p-wrj5-g8fj: PQClean has a correctness error in HQC decapsulation
A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.
References
- github.com/PQClean/PQClean
- github.com/PQClean/PQClean/pull/578
- github.com/PQClean/PQClean/security/advisories/GHSA-753p-wrj5-g8fj
- github.com/advisories/GHSA-753p-wrj5-g8fj
- github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7
- github.com/rustpq/pqcrypto/commit/0c07fa8badbf44f67d3ff1571df31ca54e5228c0
Detect and mitigate GHSA-753p-wrj5-g8fj with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →