[CVE-2022-37454] Buffer overflow in the _sha3 module in python versions <= 3.10 #98517
Comments
This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/
|
Scope: When Python is linked against OpenSSL 1.1.1 or later, which is true on many modern systems, the OpenSSL provided You can tell if your Python 3.10 or earlier is vulnerable by doing the following: A potentially vulnerable Python if unpatched looks like this: >>> import hashlib
>>> hashlib.sha3_224
<class '_sha3.sha3_224'>A non-vulnerable Python looks like this: >>> import hashlib
>>> hashlib.sha3_224
<built-in function openssl_sha3_224>Edit update: Python 3.8 and earlier did not delegate sha3 to OpenSSL regardless of version, so those are vulnerable. |
gpshead
added
type-security
This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
…-98519) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
…-98519) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
…8528) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
As far as I can see on Fedora, only Python 3.9+ reports |
I don’t think it is correct (at least for the enterprise maintainers dealing with archaeological excavations; however, this is openSUSE/Tumbleweed): stitny~$ python3.6
Python 3.6.15 (default, Sep 15 2021, 11:41:54) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>> import hashlib
>>> h = hashlib.sha3_224()
>>> hashlib.sha3_224
<class '_sha3.sha3_224'>
>>> h.update(b"\x00" * 1)
>>> h.update(b"\x00" * 4294967295)
fish: Job 1, 'python3.6' terminated by signal SIGSEGV (Address boundary error)
stitny~$ and even stitny~$ python3.8
Python 3.8.15 (default, Oct 19 2022, 07:18:07) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.sha3_224
<class '_sha3.sha3_224'>
>>> h = hashlib.sha3_224()
>>> h.update(b"\x00" * 1)
>>> h.update(b"\x00" * 4294967295)
fish: Job 1, 'python3.8' terminated by signal SIGSEGV (Address boundary error)
stitny~$ So, you are right, linking against the modern OpenSSL is the key. |
Hmm, it is not that simple: see my example with Python 3.6 on openSUSE. See also (the same goes for our Python 3.8): stitny~$ python3.6
Python 3.6.15 (default, Sep 15 2021, 11:41:54) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.1.1q 5 Jul 2022'
>>> |
|
openssl sha3 delegation was added in commit d5b3f6b, which is 3.9 and later python I think. |
Hmm, that makes me wonder, @tiran, how hopeless do you think it would be to port that pull request to 3.8 and 3.6? Did the underlying code completely changed between the versions or is it more or less the same? I really don’t like bundled implementations of security algorithms. |
|
Our 3.7 and 3.8 branches will get the patch merged, see the PRs above. 3.6 is EOL but it is trivial to apply the change to older |
This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
https://build.opensuse.org/request/show/1032060 by user mcepl + dimstar_suse - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer overflow in hashlib.sha3_* implementations (originally from the XKCP library).
vstinner
changed the title
|
I created https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html to track this vulnerability. |
|
Everything was merged. Closing. If you don't see this fix backported into your favorite OS distro that ships their own Python packages, reach out to that distro's security reporting process. Otherwise these will be part of the next planned regular patch releases of all impacted Python versions. https://peps.python.org/pep-0619/ for example. (there's a similar PEP for each version) |
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they should not be affected. python/cpython#98517 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they should not be affected. python/cpython#98517 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 92d96e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they should not be affected. python/cpython#98517 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 92d96e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2022-37454 affects Python versions prior to 3.11. The fix discussed in XKCP's advisory can be adapted to these versions. The discoverer's writeup contains code that might be turned into regression tests.
Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they should not be affected.
Linked PRs
The text was updated successfully, but these errors were encountered: