[Bug 1995197] Re: Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)
Launchpad Bug Tracker
1995197 at bugs.launchpad.net
Mon Mar 6 13:46:17 UTC 2023
This bug was fixed in the package python3.6 - 3.6.9-1~18.04ubuntu1.10
---------------
python3.6 (3.6.9-1~18.04ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer overflow in SHA3 (Keccak)
- debian/patches/CVE-2022-37454.patch: fix a buffer overflow in
Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py
(LP: #1995197).
- CVE-2022-37454
-- Dimitri John Ledkov <dimitri.ledkov at canonical.com> Tue, 28 Feb 2023
09:55:20 +0000
** Changed in: python3.6 (Ubuntu Bionic)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37454
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1995197
Title:
Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)
Status in pypy3 package in Ubuntu:
Fix Released
Status in pysha3 package in Ubuntu:
New
Status in python3.6 package in Ubuntu:
Invalid
Status in python3.7 package in Ubuntu:
Invalid
Status in python3.8 package in Ubuntu:
Invalid
Status in pypy3 source package in Bionic:
Invalid
Status in pysha3 source package in Bionic:
In Progress
Status in python3.6 source package in Bionic:
Fix Released
Status in python3.7 source package in Bionic:
New
Status in python3.8 source package in Bionic:
New
Status in pypy3 source package in Focal:
In Progress
Status in pysha3 source package in Focal:
In Progress
Status in python3.6 source package in Focal:
Invalid
Status in python3.7 source package in Focal:
Invalid
Status in python3.8 source package in Focal:
New
Status in pypy3 source package in Jammy:
In Progress
Status in pysha3 source package in Jammy:
In Progress
Status in python3.6 source package in Jammy:
Invalid
Status in python3.7 source package in Jammy:
Invalid
Status in python3.8 source package in Jammy:
Invalid
Status in pypy3 source package in Kinetic:
In Progress
Status in pysha3 source package in Kinetic:
In Progress
Status in python3.6 source package in Kinetic:
Invalid
Status in python3.7 source package in Kinetic:
Invalid
Status in python3.8 source package in Kinetic:
Invalid
Status in pypy3 source package in Lunar:
Fix Released
Status in pysha3 source package in Lunar:
New
Status in python3.6 source package in Lunar:
Invalid
Status in python3.7 source package in Lunar:
Invalid
Status in python3.8 source package in Lunar:
Invalid
Bug description:
pysha3, pypy3, python3.X are affected by CVE-2022-37454, a security issue in Keccak
https://mouha.be/sha-3-buffer-overflow/
See: https://github.com/python/cpython/issues/98517
Testing:
python3.X/pypy3:
import hashlib; h = hashlib.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'
pysha3:
import sha3; h = sha3.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'
For pypy3 and pysha3, I have:
1. Verified the issues exist in the current packages, with the above tests.
2. Built the packages with the attached patches
3. Verified that the packages upgrade
4. Verified the security issues are resolved, with the above tests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pypy3/+bug/1995197/+subscriptions
More information about the foundations-bugs
mailing list