CVE-2023-5363 log

Severity Medium
Remote Yes
Type Incorrect calculation
A bug has been identified in OpenSSL <= 3.1.3, in the processing of key and initialisation vector (IV) lengths.  This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.
For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality.  For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES inGCM mode, truncation of the counter portion could lead to IV reuse.
Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception.
Group Package Affected Fixed Severity Status Ticket
AVG-2849 lib32-openssl 1:3.1.3-1 1:3.1.4-1 Medium Fixed
AVG-2848 openssl 3.1.3-1 3.1.4-1 Medium Fixed