Crypt::Sodium::XS Integer Overflow Vulnerability in Perl

A vulnerability exists in Crypt::Sodium::XS versions prior to 0.001000 for Perl, where certain functions do not properly validate output sizes, potentially leading to integer overflows. This issue arises in combined aead encryption, signature creation, and bin2hex functions, where the output size may exceed SIZE_MAX, causing an undersized output buffer. Such a condition can result in crashes for the bin2hex function and encryption algorithms, except for aes256gcm. In the case of aes256gcm encryption and signatures, the undersized buffer could cause a buffer overflow. While this vulnerability is unlikely to be encountered under normal circumstances, as it requires very large message lengths, it poses a significant risk when the input size exceeds specific thresholds related to SIZE_MAX.

Impact

Exploitation of this vulnerability could lead to integer overflow, causing an undersized output buffer. This condition can disrupt the bin2hex function and encryption algorithms, except for aes256gcm. However, for aes256gcm encryption and signatures, the undersized buffer could result in a buffer overflow, creating a more severe risk.

Remediation

Users of Crypt::Sodium::XS should update to version 0.001001 or later. Instructions for updating can be found on MetaCPAN.