Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
python3.30640
CVE-2022-37454-sha3-buffer-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-37454-sha3-buffer-overflow.patch of Package python3.30640
From ede8c1b94d43c4611361a47335306bab44b5e2e3 Mon Sep 17 00:00:00 2001 From: Theo Buehler <botovq@users.noreply.github.com> Date: Fri, 21 Oct 2022 21:26:01 +0200 Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com> --- Lib/test/test_hashlib.py | 9 ++++++ Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 Modules/_sha3/kcp/KeccakSponge.inc | 15 +++++----- 3 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -418,6 +418,15 @@ class HashLibTestCase(unittest.TestCase) def test_case_md5_uintmax(self, size): self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') + @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) + def test_sha3_update_overflow(self, size): + """Regression test for gh-98517 CVE-2022-37454.""" + h = hashlib.sha3_224() + h.update(b'\x01') + h.update(b'\x01'*0xffff_ffff) + self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') + # use the three examples from Federal Information Processing Standards # Publication 180-1, Secure Hash Standard, 1995 April 17 # http://www.itl.nist.gov/div897/pubs/fip180-1.htm --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst @@ -0,0 +1 @@ +Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). --- a/Modules/_sha3/kcp/KeccakSponge.inc +++ b/Modules/_sha3/kcp/KeccakSponge.inc @@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc i = 0; curData = data; while(i < dataByteLen) { - if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { + if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { #ifdef SnP_FastLoop_Absorb /* processing full blocks first */ @@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc } else { /* normal lane: using the message queue */ - - partialBlock = (unsigned int)(dataByteLen - i); - if (partialBlock+instance->byteIOIndex > rateInBytes) + if (dataByteLen-i > rateInBytes-instance->byteIOIndex) partialBlock = rateInBytes-instance->byteIOIndex; + else + partialBlock = (unsigned int)(dataByteLen - i); #ifdef KeccakReference displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); #endif @@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan i = 0; curData = data; while(i < dataByteLen) { - if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { + if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { SnP_Permute(instance->state); SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); @@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan SnP_Permute(instance->state); instance->byteIOIndex = 0; } - partialBlock = (unsigned int)(dataByteLen - i); - if (partialBlock+instance->byteIOIndex > rateInBytes) + if (dataByteLen-i > rateInBytes-instance->byteIOIndex) partialBlock = rateInBytes-instance->byteIOIndex; + else + partialBlock = (unsigned int)(dataByteLen - i); i += partialBlock; SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor