OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2023-4807 | POLY1305 MAC implementation corrupts XMM registers on Windows | Low | Not affected, issue was introduced after fork |
This is an ABI error in some Poly1305 assembly which impacts Windows when running on AVX-512-capable processors. The bug was introduced after the fork, so BoringSSL is not impacted.
BoringSSL has two testing strategies that aim to catch this class of bugs. First, we test with Intel SDE, on both Windows and non-Windows x86(_64) targets. This ensures we capture both OS and CPU variants. Second, we test assembly functions with an ABI testing framework which randomizes every non-volatile register, runs the function, and checks that the function correctly restored the values. Together, these would likely have caught analogous bugs as part of automated testing.