[Bug 1995197] Re: Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)
Launchpad Bug Tracker
1995197 at bugs.launchpad.net
Wed Nov 29 15:41:53 UTC 2023
This bug was fixed in the package pypy3 - 7.3.1+dfsg-4ubuntu0.1
---------------
pypy3 (7.3.1+dfsg-4ubuntu0.1) focal-security; urgency=high
* SECURITY UPDATE: Fix buffer overflow in SHA3 (Keccak) implementation.
* References: CVE-2022-37454 (LP: #1995197).
-- Stefano Rivera <stefanor at ubuntu.com> Sat, 29 Oct 2022 18:45:41
+0200
** Changed in: pypy3 (Ubuntu Focal)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1995197
Title:
Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)
Status in pypy3 package in Ubuntu:
Fix Released
Status in python3.6 package in Ubuntu:
Invalid
Status in python3.7 package in Ubuntu:
Invalid
Status in python3.8 package in Ubuntu:
Invalid
Status in pypy3 source package in Bionic:
Invalid
Status in pysha3 source package in Bionic:
Won't Fix
Status in python3.6 source package in Bionic:
Fix Released
Status in python3.7 source package in Bionic:
Fix Released
Status in python3.8 source package in Bionic:
Fix Released
Status in pypy3 source package in Focal:
Fix Released
Status in pysha3 source package in Focal:
Fix Released
Status in python3.6 source package in Focal:
Invalid
Status in python3.7 source package in Focal:
Invalid
Status in python3.8 source package in Focal:
Fix Released
Status in pypy3 source package in Jammy:
In Progress
Status in pysha3 source package in Jammy:
In Progress
Status in python3.6 source package in Jammy:
Invalid
Status in python3.7 source package in Jammy:
Invalid
Status in python3.8 source package in Jammy:
Invalid
Status in pypy3 source package in Kinetic:
Won't Fix
Status in pysha3 source package in Kinetic:
Won't Fix
Status in python3.6 source package in Kinetic:
Invalid
Status in python3.7 source package in Kinetic:
Invalid
Status in python3.8 source package in Kinetic:
Invalid
Status in pypy3 source package in Lunar:
Fix Released
Status in python3.6 source package in Lunar:
Invalid
Status in python3.7 source package in Lunar:
Invalid
Status in python3.8 source package in Lunar:
Invalid
Bug description:
pysha3, pypy3, python3.X are affected by CVE-2022-37454, a security issue in Keccak
https://mouha.be/sha-3-buffer-overflow/
See: https://github.com/python/cpython/issues/98517
Testing:
python3.X/pypy3:
import hashlib; h = hashlib.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'
pysha3:
import sha3; h = sha3.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'
For pypy3 and pysha3, I have:
1. Verified the issues exist in the current packages, with the above tests.
2. Built the packages with the attached patches
3. Verified that the packages upgrade
4. Verified the security issues are resolved, with the above tests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pypy3/+bug/1995197/+subscriptions
More information about the foundations-bugs
mailing list