add sha3 buffer overflow

vstinner · Nov 4, 2022 · cc12464 · cc12464
1 parent 6212e29
commit cc12464
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 0 deletions.
diff --git a/bugs.txt b/bugs.txt
@@ -370,3 +370,8 @@ gh-97514:
     date: 2022-09-23 19:24:04
     title: Linux specific local privilege escalation via the multiprocessing forkserver
         start method - CVE-2022-42919
+gh-98517:
+    author: botovq
+    date: 2022-10-21 12:51:55
+    title: '[CVE-2022-37454] Buffer overflow in the _sha3 module in python versions
+        <= 3.10'
diff --git a/commit_dates.txt b/commit_dates.txt
@@ -19,6 +19,7 @@
 0cf2cf2b7d726d12a6046441e4067d32c7dd4feb: Mon Apr 18 03:45:18 2016 +0000
 0e1f1f01058bd4a9b98cfe443214adecc019a38c: Sun Mar 10 22:42:28 2019 +0530
 0e4571a68a7f48e8469ef05b04ba3463d3fd82c0: Thu Jun 15 02:16:35 2017 +0200
+0e4e058602d93b88256ff90bbef501ba20be9dd3: Fri Oct 21 21:26:01 2022 +0200
 0e6c8ee2358a2e23117501826c008842acb835ac: Sun Mar 4 00:33:32 2018 -0500
 0f0f85e9d8088eb789cda35477900df32adff546: Sat Apr 2 06:37:39 2022 -0700
 110dd153662a13b8ae1bb06348e5b1f118ab26d7: Mon Jul 6 18:24:59 2020 +0100
@@ -167,12 +168,14 @@
 7df32f844efed33ca781a016017eab7050263b90: Wed May 27 16:17:52 2020 -0700
 7e200e0763f5b71c199aaf98bd5588f291585619: Tue May 7 17:28:47 2019 +0200
 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7: Mon Mar 29 06:02:40 2021 -0700
+8088c90044ba04cd5624b278340ebf934dbee4a5: Fri Oct 21 20:37:54 2022 -0700
 80b24a9354c60f6b800d462c941c6d4cde3cf783: Tue Jan 31 13:30:58 2017 +0100
 824f7f366d1b54d2d3100c3130c04cf1dfb4b47c: Sat Aug 17 00:54:47 2013 +0200
 82f88283171933127f20f866a7f98694b29cca56: Fri Aug 23 13:26:49 2013 -0400
 83ac0144fa3041556aa4f3952ebd979e0189a19c: Mon Jul 28 05:06:20 2008 +0000
 83e37e16f3065086d721d4e62a3788e01db3431c: Sat Aug 19 01:06:27 2017 +0200
 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba: Sat Mar 14 15:35:52 2020 -0700
+857efee6d2d43c5c12fc7e377ce437144c728ab8: Fri Oct 28 03:08:06 2022 -0700
 86a713cb0c110b6798ca7f9e630fc511ee0a4028: Sun Sep 24 01:04:53 2017 -0700
 86b95370c45dedb8a56c9894372a43681de47a73: Thu Jun 15 01:26:16 2017 +0200
 86d53caddad11808ca332ab93ec35508b602a0dd: Sat May 18 17:56:42 2013 +0200
@@ -199,6 +202,7 @@
 93d0cb58b4da2a88c56f472c6c19491cc7a390df: Fri Aug 18 23:43:54 2017 +0200
 93ebfb154456daa841aa223bd296422787b3074c: Tue Aug 19 21:02:04 2008 +0000
 942cc04ae44825ea120e3a19a80c9b348b8194d0: Sun Mar 11 14:28:53 2018 -0400
+948c6794711458fd148a3fa62296cadeeb2ed631: Fri Oct 28 03:07:50 2022 -0700
 96739bccf220689a54ef33341f431eda19c287fa: Tue Sep 20 04:12:35 2022 -0700
 96fdbacb7797a564249fd59ccf86ec153c4bb095: Mon Mar 5 15:12:56 2018 -0800
 977c707b425ee753d54f3e9010f07ec77ef61274: Mon Oct 4 21:08:36 2010 +0000

diff --git a/cve/CVE-2022-37454.json b/cve/CVE-2022-37454.json
@@ -0,0 +1,52 @@
+{
+    "Modified": "2022-11-04T00:15:00",
+    "Published": "2022-10-21T06:15:00",
+    "access": {},
+    "assigner": "cve@mitre.org",
+    "capec": [
+        {
+            "id": "92",
+            "name": "Forced Integer Overflow",
+            "prerequisites": "The attacker can manipulate the value of an integer variable utilized by the target host. The target host does not do proper range checking on the variable before utilizing it. When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)",
+            "related_weakness": [
+                "120",
+                "122",
+                "128",
+                "190",
+                "196",
+                "680",
+                "697"
+            ],
+            "solutions": "Use a language or compiler that performs automatic bounds checking. Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow. Use an abstraction library to abstract away risky APIs. Not a complete solution. Always do bound checking before consuming user input data.",
+            "summary": "This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code."
+        }
+    ],
+    "cvss": null,
+    "cwe": "CWE-190",
+    "id": "CVE-2022-37454",
+    "impact": {},
+    "last-modified": "2022-11-04T00:15:00",
+    "references": [
+        "https://news.ycombinator.com/item?id=33281106",
+        "https://csrc.nist.gov/projects/hash-functions/sha-3-project",
+        "https://mouha.be/sha-3-buffer-overflow/",
+        "https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658",
+        "https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html",
+        "https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html",
+        "https://www.debian.org/security/2022/dsa-5267",
+        "https://www.debian.org/security/2022/dsa-5269",
+        "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/",
+        "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/"
+    ],
+    "summary": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.",
+    "vulnerable_configuration": [
+        {
+            "id": "cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*",
+            "title": "cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*"
+        }
+    ],
+    "vulnerable_configuration_cpe_2_2": [],
+    "vulnerable_product": [
+        "cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*"
+    ]
+}
diff --git a/vulnerabilities.yaml b/vulnerabilities.yaml
@@ -2072,3 +2072,31 @@
     start method.
 
     This issue was discovered by Devin Jeanpierre (@ssbr) of Google.
+
+- name: "Buffer overflow in the _sha3 module in Python 3.10 and older"
+  slug: sha3-buffer-overflow
+  cve: CVE-2022-37454
+  gh: 98517
+  links:
+    - https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
+  affected-versions:
+   - "3.7"
+   - "3.8"
+   - "3.9"
+   - "3.10"
+  fixed-in:
+   - '3.7': 8088c90044ba04cd5624b278340ebf934dbee4a5
+   - '3.8': 948c6794711458fd148a3fa62296cadeeb2ed631
+   - '3.9': 857efee6d2d43c5c12fc7e377ce437144c728ab8
+   - '3.10': 0e4e058602d93b88256ff90bbef501ba20be9dd3
+  description: |
+    CVE-2022-37454 affects Python versions prior to 3.11. The fix discussed in
+    `XKCP's advisory
+    <https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658>`_
+    can be adapted to these versions. The discoverer's writeup contains code
+    that might be turned into regression tests.
+
+    Python 3.11 is not affected: Python 3.11 switched to using tiny_sha3 in
+    `issue GH-91254 <https://github.com/python/cpython/issues/91254>`_.
+
+    The XKCP vulnerability has been found by Nicky Mouha.