-
-
Notifications
You must be signed in to change notification settings - Fork 219
/
CVE-2022-37454.yml
48 lines (48 loc) · 2.54 KB
/
CVE-2022-37454.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
---
gem: sha3
cve: 2022-37454
ghsa: 6w4m-2xhg-2658
url: https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
title: Buffer overflow in sponge queue functions
date: 2023-04-26
description: |
Impact
The Keccak sponge function interface accepts partial inputs to be
absorbed and partial outputs to be squeezed. A buffer can overflow
when partial data with some specific sizes are queued, where at
least one of them has a length of 2^32 - 200 bytes or more.
Patches
Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a).
Workarounds
The problem can be avoided by limiting the size of the partial
input data (or partial output digest) below 2^32 - 200 bytes.
Multiple calls to the queue system can be chained at a higher
level to retain the original functionality. Alternatively, one
can process the entire input (or produce the entire output) at
once, avoiding the queuing functions altogether.
References
See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details.
cvss_v3: 9.8
patched_versions:
- ">= 1.0.5"
related:
url:
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
- https://nvd.nist.gov/vuln/detail/CVE-2022-37454
- https://github.com/XKCP/XKCP/issues/105
- https://github.com/johanns/sha3/issues/17
- https://github.com/tiran/pysha3/issues/29
- https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
- https://github.com/johanns/sha3/commit/5f2e8118a62831911703c8753ff2435c3b5d7312
- https://csrc.nist.gov/projects/hash-functions/sha-3-project
- https://eprint.iacr.org/2023/331
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html
- https://mouha.be/sha-3-buffer-overflow/
- https://www.debian.org/security/2022/dsa-5267
- https://www.debian.org/security/2022/dsa-5269
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ
- https://github.com/advisories/GHSA-6w4m-2xhg-2658