Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)

Bug #1995197 reported by Stefano Rivera
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pypy3 (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Invalid
Undecided
Unassigned
Focal
In Progress
Undecided
Steve Beattie
Jammy
In Progress
Undecided
Steve Beattie
Kinetic
Won't Fix
Undecided
Steve Beattie
Lunar
Fix Released
Undecided
Unassigned
pysha3 (Ubuntu)
Bionic
In Progress
Undecided
Steve Beattie
Focal
In Progress
Undecided
Steve Beattie
Jammy
In Progress
Undecided
Steve Beattie
Kinetic
Won't Fix
Undecided
Steve Beattie
python3.6 (Ubuntu)
Invalid
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned
python3.7 (Ubuntu)
Invalid
Undecided
Unassigned
Bionic
New
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned
python3.8 (Ubuntu)
Invalid
Undecided
Unassigned
Bionic
New
Undecided
Unassigned
Focal
New
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned

Bug Description

pysha3, pypy3, python3.X are affected by CVE-2022-37454, a security issue in Keccak
https://mouha.be/sha-3-buffer-overflow/

See: https://github.com/python/cpython/issues/98517

Testing:

python3.X/pypy3:

import hashlib; h = hashlib.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'

pysha3:

import sha3; h = sha3.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'

For pypy3 and pysha3, I have:
1. Verified the issues exist in the current packages, with the above tests.
2. Built the packages with the attached patches
3. Verified that the packages upgrade
4. Verified the security issues are resolved, with the above tests.

CVE References

Changed in python3.8 (Ubuntu Jammy):
status: New → Invalid
Changed in python3.8 (Ubuntu Kinetic):
status: New → Invalid
Changed in python3.8 (Ubuntu Lunar):
status: New → Invalid
Changed in python3.7 (Ubuntu Jammy):
status: New → Invalid
Changed in python3.7 (Ubuntu Focal):
status: New → Invalid
Changed in python3.7 (Ubuntu Kinetic):
status: New → Invalid
Changed in python3.7 (Ubuntu Lunar):
status: New → Invalid
Changed in python3.6 (Ubuntu Focal):
status: New → Invalid
Changed in python3.6 (Ubuntu Jammy):
status: New → Invalid
Changed in python3.6 (Ubuntu Kinetic):
status: New → Invalid
Changed in python3.6 (Ubuntu Lunar):
status: New → Invalid
Changed in pypy3 (Ubuntu Bionic):
status: New → Invalid
description: updated
description: updated
description: updated
Revision history for this message
Stefano Rivera (stefanor) wrote :
Revision history for this message
Stefano Rivera (stefanor) wrote :
Revision history for this message
Stefano Rivera (stefanor) wrote :
Revision history for this message
Stefano Rivera (stefanor) wrote :
Revision history for this message
Stefano Rivera (stefanor) wrote :
Revision history for this message
Stefano Rivera (stefanor) wrote :
Revision history for this message
Stefano Rivera (stefanor) wrote :
Changed in pypy3 (Ubuntu Focal):
status: New → Confirmed
Changed in pypy3 (Ubuntu Jammy):
status: New → Confirmed
Changed in pypy3 (Ubuntu Kinetic):
status: New → Confirmed
Changed in pysha3 (Ubuntu Bionic):
status: New → Confirmed
Changed in pysha3 (Ubuntu Focal):
status: New → Confirmed
Changed in pysha3 (Ubuntu Jammy):
status: New → Confirmed
Changed in pysha3 (Ubuntu Kinetic):
status: New → Confirmed
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey Stefano, thanks for preparing the debdiffs for pypy3 and pysha3, my initial examination of them looks good. I'll work on sponsoring them.

For lunar, the fixed version of pypy3 is in lunar-proposed, so I've marked that as fixed committed.

Changed in pypy3 (Ubuntu Lunar):
status: New → Fix Committed
Changed in pypy3 (Ubuntu Focal):
status: Confirmed → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Changed in pypy3 (Ubuntu Jammy):
assignee: nobody → Steve Beattie (sbeattie)
status: Confirmed → In Progress
Changed in pypy3 (Ubuntu Kinetic):
assignee: nobody → Steve Beattie (sbeattie)
status: Confirmed → In Progress
Changed in pysha3 (Ubuntu Bionic):
assignee: nobody → Steve Beattie (sbeattie)
status: Confirmed → In Progress
Changed in pysha3 (Ubuntu Focal):
assignee: nobody → Steve Beattie (sbeattie)
status: Confirmed → In Progress
Changed in pysha3 (Ubuntu Jammy):
assignee: nobody → Steve Beattie (sbeattie)
status: Confirmed → In Progress
Changed in pysha3 (Ubuntu Kinetic):
assignee: nobody → Steve Beattie (sbeattie)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pypy3 - 7.3.11+dfsg-1

---------------
pypy3 (7.3.11+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * Refresh patches.

 -- Stefano Rivera <email address hidden> Fri, 30 Dec 2022 09:29:42 -0400

Changed in pypy3 (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python3.6 - 3.6.9-1~18.04ubuntu1.10

---------------
python3.6 (3.6.9-1~18.04ubuntu1.10) bionic-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow in SHA3 (Keccak)
    - debian/patches/CVE-2022-37454.patch: fix a buffer overflow in
      Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py
     (LP: #1995197).
    - CVE-2022-37454

 -- Dimitri John Ledkov <email address hidden> Tue, 28 Feb 2023 09:55:20 +0000

Changed in python3.6 (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

pysha3 was removed[1] from lunar:

Deleted on 2022-11-16 by Steve Langasek
(From Debian) RoQA; Backport package now unmaintained upstream; Debian bug #1023033

1. https://launchpad.net/ubuntu/+source/pysha3/+publishinghistory

no longer affects: pysha3 (Ubuntu Lunar)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

kinetic is eol

Changed in pysha3 (Ubuntu Kinetic):
status: In Progress → Won't Fix
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Ubuntu 22.10 (Kinetic Kudu) has reached end of life, so this bug will not be fixed for that specific release.

Changed in pypy3 (Ubuntu Kinetic):
status: In Progress → Won't Fix
Mathew Hodson (mhodson)
no longer affects: pysha3 (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.