[Bug 1995197] Re: Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)

Marc Deslauriers 1995197 at bugs.launchpad.net
Wed Nov 29 14:05:29 UTC 2023 

** Changed in: python3.8 (Ubuntu Bionic)
       Status: New => Fix Released

** Changed in: python3.8 (Ubuntu Focal)
       Status: New => Fix Released

** Changed in: pysha3 (Ubuntu Bionic)
       Status: In Progress => Won't Fix

** Changed in: python3.7 (Ubuntu Bionic)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1995197

Title:
  Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)

Status in pypy3 package in Ubuntu:
  Fix Released
Status in python3.6 package in Ubuntu:
  Invalid
Status in python3.7 package in Ubuntu:
  Invalid
Status in python3.8 package in Ubuntu:
  Invalid
Status in pypy3 source package in Bionic:
  Invalid
Status in pysha3 source package in Bionic:
  Won't Fix
Status in python3.6 source package in Bionic:
  Fix Released
Status in python3.7 source package in Bionic:
  Fix Released
Status in python3.8 source package in Bionic:
  Fix Released
Status in pypy3 source package in Focal:
  In Progress
Status in pysha3 source package in Focal:
  In Progress
Status in python3.6 source package in Focal:
  Invalid
Status in python3.7 source package in Focal:
  Invalid
Status in python3.8 source package in Focal:
  Fix Released
Status in pypy3 source package in Jammy:
  In Progress
Status in pysha3 source package in Jammy:
  In Progress
Status in python3.6 source package in Jammy:
  Invalid
Status in python3.7 source package in Jammy:
  Invalid
Status in python3.8 source package in Jammy:
  Invalid
Status in pypy3 source package in Kinetic:
  Won't Fix
Status in pysha3 source package in Kinetic:
  Won't Fix
Status in python3.6 source package in Kinetic:
  Invalid
Status in python3.7 source package in Kinetic:
  Invalid
Status in python3.8 source package in Kinetic:
  Invalid
Status in pypy3 source package in Lunar:
  Fix Released
Status in python3.6 source package in Lunar:
  Invalid
Status in python3.7 source package in Lunar:
  Invalid
Status in python3.8 source package in Lunar:
  Invalid

Bug description:
  pysha3, pypy3, python3.X are affected by CVE-2022-37454, a security issue in Keccak
  https://mouha.be/sha-3-buffer-overflow/

  See: https://github.com/python/cpython/issues/98517

  Testing:

  python3.X/pypy3:

  import hashlib; h = hashlib.sha3_224(); h.update(b'\x01'); \
  h.update(b'\x01'*0xffff_ffff); \
  assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'

  pysha3:

  import sha3; h = sha3.sha3_224(); h.update(b'\x01'); \
  h.update(b'\x01'*0xffff_ffff); \
  assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'

  For pypy3 and pysha3, I have:
  1. Verified the issues exist in the current packages, with the above tests.
  2. Built the packages with the attached patches
  3. Verified that the packages upgrade
  4. Verified the security issues are resolved, with the above tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pypy3/+bug/1995197/+subscriptions

More information about the foundations-bugs mailing list