Bug 2140200 (CVE-2022-37454)
| Summary: | CVE-2022-37454 XKCP: buffer overflow in the SHA-3 reference implementation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | cstratak, hhorak, jaruga, jorton, mhroncok, pviktori, python-maint, rcollet, ruby-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Keccak XKCP SHA-3 reference implementation. The sponge function interface allows partial input data to be processed, and partial output to be produced. When at least one of these has a length of 4294967096 bytes or more, it can result in elimination of cryptographic properties, execution of arbitrary code, or a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-17 02:31:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2141754, 2141755, 2141756, 2141757, 2141758, 2141759, 2141760, 2141761, 2141762, 2141763, 2141764, 2141766, 2141812, 2141813, 2141814, 2141815, 2141816, 2141818, 2141819, 2161670, 2161671 | ||
| Bug Blocks: | 2137582 | ||
|
Description
Guilherme de Almeida Suckevicz
2022-11-04 19:16:33 UTC
I can just guess that Ruby maintainers were added on the CC due to "SHA3 for Ruby" being mentioned at the second reference. If that is the case, I'd just like to point out that this library is not in Fedora neither in RHEL, therefore this is not of our interest. This affects Fedora's Python 3.6, 3.7, 3.8, and PyPy 3.*. Python 3.9+ is not affected in Fedora, as it uses the OpenSSL implementation. Python 3.11 is not affected even upstream: Python 3.11 switched to using a different sha3 implementation as a fallback. Python/PyPy 2 does not seem to support Keccak. See https://github.com/python/cpython/issues/98517 Python in RHEL is not affected: our RHEL-only hashlib patches remove the fallbacks, so only OpenSSL is used there. > I can just guess that Ruby maintainers were added on the CC due to "SHA3 for Ruby" being mentioned at the second reference. If that is the case, I'd just like to point out that this library is not in Fedora neither in RHEL, therefore this is not of our interest. Yes. In the second reference, the sentence for Ruby is below. There is no RPM package for the "SHA3 for Ruby" (sha3 gem package) on both Fedora and RHEL. https://mouha.be/sha-3-buffer-overflow/ > The vulnerability has been assigned CVE-2022-37454 and bug reports are available for Python, PHP, PyPy, pysha3, SHA3 for Ruby, and XKCP. => https://github.com/johanns/sha3/issues/17 => https://rubygems.org/gems/sha3 Notice: the PHP security team doesn't consider this issue as a security vulnerability as it requires to be exploited some bad configuration (memory_limit). So any sane configuration protects from it. Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2141755] Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2141756] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2141757] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2141758] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2141759] Created python34 tracking bugs for this issue: Affects: epel-all [bug 2141754] Created pypy tracking bugs for this issue: Affects: epel-all [bug 2141761] Affects: fedora-all [bug 2141760] Created pypy3.7 tracking bugs for this issue: Affects: fedora-all [bug 2141762] Created pypy3.8 tracking bugs for this issue: Affects: fedora-all [bug 2141763] Created pypy3.9 tracking bugs for this issue: Affects: fedora-all [bug 2141764] Created php tracking bugs for this issue: Affects: fedora-all [bug 2141766] Created rust-keccak tracking bugs for this issue: Affects: fedora-all [bug 2141818] Created rust-tiny-keccak tracking bugs for this issue: Affects: fedora-all [bug 2141819] FEDORA-2022-17bc21cf38 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. For the record, any Python older than 3.6 does not even support SHA-3 and hence is not affected. I've verified this in python37 @ epel7 package [bug 2141754]. (In reply to Miro Hrončok from comment #13) > For the record, any Python older than 3.6 does not even support SHA-3 and > hence is not affected. I've verified this in python37 @ epel7 package [bug > 2141754]. Correction: I've verified this in python34 @ epel7 package [bug 2141754]. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0848 https://access.redhat.com/errata/RHSA-2023:0848 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0965 https://access.redhat.com/errata/RHSA-2023:0965 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2417 https://access.redhat.com/errata/RHSA-2023:2417 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2903 https://access.redhat.com/errata/RHSA-2023:2903 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-37454 |