security: deep security review — 5 vulnerability fixes + full report#6
Draft
Copilot wants to merge 2 commits into
Draft
security: deep security review — 5 vulnerability fixes + full report#6Copilot wants to merge 2 commits into
Copilot wants to merge 2 commits into
Conversation
- Upgrade golang.org/x/crypto v0.31.0 → v0.35.0 (DoS CVE) - Fix tdd.Decrypt panic on short ciphertext (goroutine crash) - Fix slss.Decrypt panic on mismatched vector lengths (goroutine crash) - Redact sensitive LWE ephemeral values from DebugEncrypt/SlssDebugInfo - Add MaxComponentSize bounds checks to kem.DeserializePublicKey - Document EGRW design limitation (secret key not used in decryption) - Add SECURITY_REPORT.md with full details" Agent-Logs-Url: https://github.com/BackendStack21/k-mosaic-go/sessions/93e1e495-642b-41e9-ba5e-b633760ef263 Co-authored-by: jkyberneees <4096860+jkyberneees@users.noreply.github.com>
Agent-Logs-Url: https://github.com/BackendStack21/k-mosaic-go/sessions/93e1e495-642b-41e9-ba5e-b633760ef263 Co-authored-by: jkyberneees <4096860+jkyberneees@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
jkyberneees
April 10, 2026 17:54
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deep security review of the kMOSAIC-Go post-quantum cryptography library. Five vulnerabilities were identified and fixed, and one design limitation is documented. All existing tests pass.
Vulnerabilities Fixed
V-01 — Dependency CVE:
golang.org/x/crypto≤ 0.34.0 (High)Upgraded
golang.org/x/cryptov0.31.0 → v0.35.0 to fix a DoS vulnerability (slow/incomplete SSH key exchange). Also upgradedgolang.org/x/sysv0.28.0 → v0.30.0 as required.V-02 —
tdd.Decryptpanics on malformed ciphertext (High)ct.Data[:len(ct.Data)-8]panicked whenlen(ct.Data) < 8. Sincetdd.Decryptruns inside a goroutine inkem.Decapsulate, a panic there terminates the entire host process — a trivial remote DoS. Fixed by adding alen(ct.Data) < encMsgLenguard that returnsnilinstead.V-03 —
slss.Decryptpanics on mismatched vector lengths (High)innerProduct(ct.U, sk.S, q)iterates overct.Uand indexes intosk.S. Iflen(ct.U) > len(sk.S), Go panics with index-out-of-bounds — again inside a goroutine, causing a process crash. Fixed by adding alen(ct.U) != len(sk.S)guard at the top ofslss.Decrypt.V-04 —
DebugEncryptexposes sensitive LWE ephemeral error vectors (High)The exported
DebugEncryptfunction returnede1/e2error-vector heads andrsupport positions/values viaSlssDebugInfo. In LWE, the error vector is the mathematical secret; exposing even partial values assists lattice reduction attacks and can allow plaintext recovery. The CLIkem slss-debugcommand serialised this to JSON. Fixed by redacting all sensitive fields fromSlssDebugInfo(now contains only structural info:ULen,VLen,W,RNNz), adding security warning doc-comments, and adding missing zeroization calls.V-05 —
kem.DeserializePublicKeymissingMaxComponentSizechecks (Medium)sign.DeserializePublicKeyvalidates each length-prefixed component againstMaxComponentSize(10 MB); thekemequivalent did not. A crafted input with component lengths nearlen(data)could cause large allocations (memory-exhaustion DoS). Added consistent> MaxComponentSizeguards for all four components plus the missingoffset+4 > len(data)pre-checks.Design Limitation Documented
D-01 — EGRW Decrypt does not use the secret key (Medium, design)
egrw.Decryptderives its keystream solely from public-key components and the ciphertext vertex — the secret walksk.Walkis never used. Any public-key holder can recover the EGRW share, reducing the effective security barrier from three components to two (SLSS + TDD). This limitation stems from the non-commutativity of SL(2, Z_p) which prevents a DH-style exchange. A package-levelSECURITY NOTEcomment has been added toproblems/egrw/egrw.godocumenting the limitation and recommending future remediation.Files Changed
go.mod/go.sumproblems/tdd/tdd.goDecryptproblems/slss/slss.goDecrypt; redactSlssDebugInfo; add zeroizationkem/kem.goMaxComponentSizeconstant + bounds checks inDeserializePublicKeyproblems/egrw/egrw.gocmd/k-mosaic-cli/main.goslss-debugoutput fieldscmd/k-mosaic-cli/main_test.goSECURITY_REPORT.mdAll tests pass. CodeQL scan and code review show no alerts.