| # OpenSSL Advisory: September 8th, 2023 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20230908.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2023-4807 | POLY1305 MAC implementation corrupts XMM registers on Windows | Low | Not affected, issue was introduced after fork |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## CVE-2023-4807 |
| |
| This is an ABI error in some Poly1305 assembly which impacts Windows when running on AVX-512-capable processors. The bug was introduced after the fork, so BoringSSL is not impacted. |
| |
| BoringSSL has two testing strategies that aim to catch this class of bugs. First, we test with [Intel SDE](https://www.intel.com/content/www/us/en/developer/articles/tool/software-development-emulator.html), on both Windows and non-Windows x86(_64) targets. This ensures we capture both OS and CPU variants. Second, we test assembly functions with an [ABI testing framework](https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/test/abi_test.h) which randomizes every non-volatile register, runs the function, and checks that the function correctly restored the values. Together, these would likely have caught analogous bugs as part of automated testing. |
