GHSA-9763-4f94-gfch: CIRCL's Kyber: timing side-channel (kyberslash2)

The vulnerability (KyberSlash2) is a timing side-channel attack that occurs during the decapsulation of Kyber ciphertexts. The provided commit 75ef91e8a2f438e6ce2b6e620d236add8be1887d directly addresses this by modifying the CompressTo function in pke/kyber/internal/common/poly.go. The commit message explicitly states: 'kyber: remove division by q in ciphertext compression. On some platforms, division by q leaks some information on the ciphertext by its timing.' The patch replaces the direct division operations within CompressTo with an alternative method (multiplication and bit-shifting) to achieve a more constant-time behavior. This directly points to the original implementation of CompressTo as the function containing the vulnerable code (the data-dependent timing division). The KyberSlash2 attack exploits such timing variations in the compression step when it's used as part of the re-encryption in the Fujisaki-Okamoto transform during decapsulation. Therefore, (*github.com/cloudflare/circl/pke/kyber/internal/common.Poly).CompressTo is the identified vulnerable function as it contained the timing-variable operation that could be exploited.