2238753 – (CVE-2022-48566) CVE-2022-48566 python: constant-time-defeating optimisations issue in the compare_digest function in Lib/hmac.p

Bug 2238753 (CVE-2022-48566) - CVE-2022-48566 python: constant-time-defeating optimisations issue in the compare_digest function in Lib/hmac.p

Summary: CVE-2022-48566 python: constant-time-defeating optimisations issue in the com...

Keywords:
Status:	NEW
Alias:	CVE-2022-48566
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2238756 2238757 2238758 2238759 2238760 2238761
Blocks:	2238762
TreeView+	depends on / blocked

Reported:	2023-09-13 13:30 UTC by msiddiqu
Modified:	2023-12-20 11:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2023-09-13 13:30:37 UTC

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Comment 1 msiddiqu 2023-09-13 13:46:31 UTC

References: 
 
https://github.com/python/cpython/issues/84968
https://bugs.python.org/issue40791

Comment 2 msiddiqu 2023-09-13 13:59:07 UTC

Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2238756]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2238757]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2238758]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2238759]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2238760]

Note You need to log in before you can comment on or make changes to this bug.