Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-37454] Buffer overflow in the _sha3 module in python versions <= 3.10 #98517

Closed
botovq opened this issue Oct 21, 2022 · 9 comments
Closed
Assignees
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@botovq
Copy link

botovq commented Oct 21, 2022

CVE-2022-37454 affects Python versions prior to 3.11. The fix discussed in XKCP's advisory can be adapted to these versions. The discoverer's writeup contains code that might be turned into regression tests.

Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they should not be affected.

Linked PRs

@botovq botovq added the type-bug An unexpected behavior, bug, or error label Oct 21, 2022
botovq added a commit to botovq/cpython that referenced this issue Oct 21, 2022
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/
@gpshead
Copy link
Member

gpshead commented Oct 21, 2022

Scope: When Python is linked against OpenSSL 1.1.1 or later, which is true on many modern systems, the OpenSSL provided sha3 implementation will be used instead of the vulnerable bundled _sha3 XKCP module code.

You can tell if your Python 3.10 or earlier is vulnerable by doing the following:

A potentially vulnerable Python if unpatched looks like this:

>>> import hashlib
>>> hashlib.sha3_224
<class '_sha3.sha3_224'>

A non-vulnerable Python looks like this:

>>> import hashlib
>>> hashlib.sha3_224
<built-in function openssl_sha3_224>

Edit update: Python 3.8 and earlier did not delegate sha3 to OpenSSL regardless of version, so those are vulnerable.

@gpshead gpshead added type-security A security issue 3.10 only security fixes 3.9 only security fixes 3.8 only security fixes 3.7 (EOL) end of life labels Oct 21, 2022
gpshead pushed a commit that referenced this issue Oct 21, 2022
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 21, 2022
…-98519)

This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058)

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 21, 2022
…-98519)

This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058)

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
ned-deily pushed a commit that referenced this issue Oct 22, 2022
…8528)

This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058)

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
@hroncok
Copy link
Contributor

hroncok commented Oct 25, 2022

Scope: When Python is linked against OpenSSL 1.1.1 or later, which is true on many modern systems, the OpenSSL provided sha3 implementation will be used instead of the vulnerable bundled _sha3 XKCP module code.

As far as I can see on Fedora, only Python 3.9+ reports <built-in function openssl_sha3_224>. Older Python versions, despite being linked against OpenSSL 1.1.1 or later are still vulnerable.

@mcepl
Copy link
Contributor

mcepl commented Oct 25, 2022

Scope: When Python is linked against OpenSSL 1.1.1 or later, which is true on many modern systems, the OpenSSL provided sha3 implementation will be used instead of the vulnerable bundled _sha3 XKCP module code.

You can tell if your Python 3.10 or earlier is vulnerable by doing the following:

I don’t think it is correct (at least for the enterprise maintainers dealing with archaeological excavations; however, this is openSUSE/Tumbleweed):

stitny~$ python3.6
Python 3.6.15 (default, Sep 15 2021, 11:41:54) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>> import hashlib
>>> h = hashlib.sha3_224()
>>> hashlib.sha3_224
<class '_sha3.sha3_224'>
>>> h.update(b"\x00" * 1)
>>> h.update(b"\x00" * 4294967295)
fish: Job 1, 'python3.6' terminated by signal SIGSEGV (Address boundary error)
stitny~$ 

and even

stitny~$ python3.8
Python 3.8.15 (default, Oct 19 2022, 07:18:07) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.sha3_224
<class '_sha3.sha3_224'>
>>> h = hashlib.sha3_224()
>>> h.update(b"\x00" * 1)
>>> h.update(b"\x00" * 4294967295)
fish: Job 1, 'python3.8' terminated by signal SIGSEGV (Address boundary error)
stitny~$ 

So, you are right, linking against the modern OpenSSL is the key.

@mcepl
Copy link
Contributor

mcepl commented Oct 25, 2022

Scope: When Python is linked against OpenSSL 1.1.1 or later, which is true on many modern systems, the OpenSSL provided sha3 implementation will be used instead of the vulnerable bundled _sha3 XKCP module code.

Hmm, it is not that simple: see my example with Python 3.6 on openSUSE. See also (the same goes for our Python 3.8):

stitny~$ python3.6
Python 3.6.15 (default, Sep 15 2021, 11:41:54) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.1.1q  5 Jul 2022'
>>> 

@msmeissn
Copy link

openssl sha3 delegation was added in commit d5b3f6b, which is 3.9 and later python I think.

@mcepl
Copy link
Contributor

mcepl commented Oct 25, 2022

openssl sha3 delegation was added in commit d5b3f6b, which is 3.9 and later python I think.

Hmm, that makes me wonder, @tiran, how hopeless do you think it would be to port that pull request to 3.8 and 3.6? Did the underlying code completely changed between the versions or is it more or less the same? I really don’t like bundled implementations of security algorithms.

@gpshead
Copy link
Member

gpshead commented Oct 26, 2022

Our 3.7 and 3.8 branches will get the patch merged, see the PRs above. 3.6 is EOL but it is trivial to apply the change to older _sha3 supporting releases for distributors with a need to do so on their own.

ambv pushed a commit that referenced this issue Oct 28, 2022
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058)

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
ambv pushed a commit that referenced this issue Oct 28, 2022
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058)

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this issue Oct 29, 2022
https://build.opensuse.org/request/show/1032060
by user mcepl + dimstar_suse
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).
@vstinner vstinner changed the title Buffer overflow in the _sha3 module in python versions <= 3.10 [CVE-2022-37454] Buffer overflow in the _sha3 module in python versions <= 3.10 Nov 3, 2022
@vstinner
Copy link
Member

vstinner commented Nov 4, 2022

I created https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html to track this vulnerability.

@gpshead
Copy link
Member

gpshead commented Nov 7, 2022

Everything was merged. Closing. If you don't see this fix backported into your favorite OS distro that ships their own Python packages, reach out to that distro's security reporting process. Otherwise these will be part of the next planned regular patch releases of all impacted Python versions. https://peps.python.org/pep-0619/ for example. (there's a similar PEP for each version)

@gpshead gpshead closed this as completed Nov 7, 2022
arnout pushed a commit to buildroot/buildroot that referenced this issue Dec 4, 2022
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
integer overflow and resultant buffer overflow that allows attackers to
execute arbitrary code or eliminate expected cryptographic properties.
This occurs in the sponge function interface.

Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they
should not be affected.

python/cpython#98517

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
arnout pushed a commit to buildroot/buildroot that referenced this issue Dec 8, 2022
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
integer overflow and resultant buffer overflow that allows attackers to
execute arbitrary code or eliminate expected cryptographic properties.
This occurs in the sponge function interface.

Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they
should not be affected.

python/cpython#98517

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 92d96e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout pushed a commit to buildroot/buildroot that referenced this issue Dec 8, 2022
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
integer overflow and resultant buffer overflow that allows attackers to
execute arbitrary code or eliminate expected cryptographic properties.
This occurs in the sponge function interface.

Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they
should not be affected.

python/cpython#98517

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 92d96e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Development

No branches or pull requests

9 participants