Ubuntu
python3.7 package

Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)

Focal (20.04)
Bug #1995197

Bug #1995197 reported by Stefano Rivera on 2022-10-30

This bug affects 1 person

	Status	Importance	Assigned to
pypy3 (Ubuntu)	Fix Released	Undecided	Unassigned
Bionic	Invalid	Undecided	Unassigned
Focal	In Progress	Undecided	Steve Beattie
Jammy	In Progress	Undecided	Steve Beattie
Kinetic	Won't Fix	Undecided	Steve Beattie
Lunar	Fix Released	Undecided	Unassigned
pysha3 (Ubuntu)
Bionic	In Progress	Undecided	Steve Beattie
Focal	In Progress	Undecided	Steve Beattie
Jammy	In Progress	Undecided	Steve Beattie
Kinetic	Won't Fix	Undecided	Steve Beattie
python3.6 (Ubuntu)	Invalid	Undecided	Unassigned
Bionic	Fix Released	Undecided	Unassigned
Focal	Invalid	Undecided	Unassigned
Jammy	Invalid	Undecided	Unassigned
Kinetic	Invalid	Undecided	Unassigned
Lunar	Invalid	Undecided	Unassigned
python3.7 (Ubuntu)	Invalid	Undecided	Unassigned
Bionic	New	Undecided	Unassigned
Focal	Invalid	Undecided	Unassigned
Jammy	Invalid	Undecided	Unassigned
Kinetic	Invalid	Undecided	Unassigned
Lunar	Invalid	Undecided	Unassigned
python3.8 (Ubuntu)	Invalid	Undecided	Unassigned
Bionic	New	Undecided	Unassigned
Focal	New	Undecided	Unassigned
Jammy	Invalid	Undecided	Unassigned
Kinetic	Invalid	Undecided	Unassigned
Lunar	Invalid	Undecided	Unassigned

Bug Description

pysha3, pypy3, python3.X are affected by CVE-2022-37454, a security issue in Keccak
https://mouha.be/sha-3-buffer-overflow/

See: https://github.com/python/cpython/issues/98517

Testing:

python3.X/pypy3:

import hashlib; h = hashlib.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'

pysha3:

import sha3; h = sha3.sha3_224(); h.update(b'\x01'); \
h.update(b'\x01'*0xffff_ffff); \
assert h.hexdigest() == '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed'

For pypy3 and pysha3, I have:
1. Verified the issues exist in the current packages, with the above tests.
2. Built the packages with the attached patches
3. Verified that the packages upgrade
4. Verified the security issues are resolved, with the above tests.

See original description

Tags:

CVE References

2022-37454

Stefano Rivera (stefanor) on 2022-10-30

Changed in python3.8 (Ubuntu Jammy):
status:	New → Invalid
Changed in python3.8 (Ubuntu Kinetic):
status:	New → Invalid
Changed in python3.8 (Ubuntu Lunar):
status:	New → Invalid
Changed in python3.7 (Ubuntu Jammy):
status:	New → Invalid
Changed in python3.7 (Ubuntu Focal):
status:	New → Invalid
Changed in python3.7 (Ubuntu Kinetic):
status:	New → Invalid
Changed in python3.7 (Ubuntu Lunar):
status:	New → Invalid
Changed in python3.6 (Ubuntu Focal):
status:	New → Invalid
Changed in python3.6 (Ubuntu Jammy):
status:	New → Invalid
Changed in python3.6 (Ubuntu Kinetic):
status:	New → Invalid
Changed in python3.6 (Ubuntu Lunar):
status:	New → Invalid
Changed in pypy3 (Ubuntu Bionic):
status:	New → Invalid

Stefano Rivera (stefanor) on 2022-10-30

description:	updated
description:	updated
description:	updated

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pypy3-focal.debdiff Edit (5.2 KiB, text/plain)

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pypy3-jammy.debdiff Edit (5.1 KiB, text/plain)

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pypy3-kinetic.debdiff Edit (5.1 KiB, text/plain)

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pysha3-bionic.debdiff Edit (3.3 KiB, text/plain)

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pysha3-focal.debdiff Edit (3.4 KiB, text/plain)

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pysha3-jammy.debdiff Edit (3.3 KiB, text/plain)

Revision history for this message

Stefano Rivera (stefanor) wrote on 2022-10-30:

pysha3-kinetic.debdiff Edit (3.3 KiB, text/plain)

Changed in pypy3 (Ubuntu Focal):
status:	New → Confirmed
Changed in pypy3 (Ubuntu Jammy):
status:	New → Confirmed
Changed in pypy3 (Ubuntu Kinetic):
status:	New → Confirmed
Changed in pysha3 (Ubuntu Bionic):
status:	New → Confirmed
Changed in pysha3 (Ubuntu Focal):
status:	New → Confirmed
Changed in pysha3 (Ubuntu Jammy):
status:	New → Confirmed
Changed in pysha3 (Ubuntu Kinetic):
status:	New → Confirmed

Stefano Rivera (stefanor) on 2022-10-30

description:

updated

Revision history for this message

Steve Beattie (sbeattie) wrote on 2022-11-15:

Hey Stefano, thanks for preparing the debdiffs for pypy3 and pysha3, my initial examination of them looks good. I'll work on sponsoring them.

For lunar, the fixed version of pypy3 is in lunar-proposed, so I've marked that as fixed committed.

Changed in pypy3 (Ubuntu Lunar):
status:	New → Fix Committed
Changed in pypy3 (Ubuntu Focal):
status:	Confirmed → In Progress
assignee:	nobody → Steve Beattie (sbeattie)
Changed in pypy3 (Ubuntu Jammy):
assignee:	nobody → Steve Beattie (sbeattie)
status:	Confirmed → In Progress
Changed in pypy3 (Ubuntu Kinetic):
assignee:	nobody → Steve Beattie (sbeattie)
status:	Confirmed → In Progress
Changed in pysha3 (Ubuntu Bionic):
assignee:	nobody → Steve Beattie (sbeattie)
status:	Confirmed → In Progress
Changed in pysha3 (Ubuntu Focal):
assignee:	nobody → Steve Beattie (sbeattie)
status:	Confirmed → In Progress
Changed in pysha3 (Ubuntu Jammy):
assignee:	nobody → Steve Beattie (sbeattie)
status:	Confirmed → In Progress
Changed in pysha3 (Ubuntu Kinetic):
assignee:	nobody → Steve Beattie (sbeattie)
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-12-31:

This bug was fixed in the package pypy3 - 7.3.11+dfsg-1

---------------
pypy3 (7.3.11+dfsg-1) unstable; urgency=medium

* New upstream release.
* Refresh patches.

-- Stefano Rivera <email address hidden> Fri, 30 Dec 2022 09:29:42 -0400

Changed in pypy3 (Ubuntu Lunar):
status:	Fix Committed → Fix Released

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2023-02-28:

#10

python3.6-bionic.debdiff Edit (6.1 KiB, text/plain)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-06:

#11

This bug was fixed in the package python3.6 - 3.6.9-1~18.04ubuntu1.10

---------------
python3.6 (3.6.9-1~18.04ubuntu1.10) bionic-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow in SHA3 (Keccak)
    - debian/patches/CVE-2022-37454.patch: fix a buffer overflow in
      Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py
     (LP: #1995197).
    - CVE-2022-37454

-- Dimitri John Ledkov <email address hidden> Tue, 28 Feb 2023 09:55:20 +0000

Changed in python3.6 (Ubuntu Bionic):
status:	New → Fix Released

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-08-04:

#12

pysha3 was removed[1] from lunar:

Deleted on 2022-11-16 by Steve Langasek
(From Debian) RoQA; Backport package now unmaintained upstream; Debian bug #1023033

1. https://launchpad.net/ubuntu/+source/pysha3/+publishinghistory

no longer affects:

pysha3 (Ubuntu Lunar)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-08-04:

#13

kinetic is eol

Changed in pysha3 (Ubuntu Kinetic):
status:	In Progress → Won't Fix

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2023-08-10:

#14

Ubuntu 22.10 (Kinetic Kudu) has reached end of life, so this bug will not be fixed for that specific release.

Changed in pypy3 (Ubuntu Kinetic):
status:	In Progress → Won't Fix

Mathew Hodson (mhodson) on 2023-08-28

no longer affects:

pysha3 (Ubuntu)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupython3.7 package

Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
python3.7 package