| Name | CVE-2022-37454 |
| Description | The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3174-1, DLA-3175-1, DLA-3243-1, DSA-5267-1, DSA-5269-1, DSA-5277-1 |
| Debian Bugs | 1023030 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| php5 (PTS) | jessie, jessie (lts) | 5.6.40+dfsg-0+deb8u18 | fixed |
| php7.0 (PTS) | stretch (security) | 7.0.33-0+deb9u12 | fixed |
| stretch (lts), stretch | 7.0.33-0+deb9u16 | fixed |
| php7.3 (PTS) | buster | 7.3.31-1~deb10u1 | vulnerable |
| buster (security) | 7.3.31-1~deb10u5 | fixed |
| php7.4 (PTS) | bullseye | 7.4.33-1+deb11u4 | fixed |
| bullseye (security) | 7.4.33-1+deb11u5 | fixed |
| pypy3 (PTS) | buster | 7.0.0+dfsg-3 | fixed |
| bullseye (security), bullseye | 7.3.5+dfsg-2+deb11u2 | fixed |
| bookworm | 7.3.11+dfsg-2+deb12u1 | fixed |
| sid, trixie | 7.3.15+dfsg-1 | fixed |
| pysha3 (PTS) | buster | 1.0.2-2 | vulnerable |
| buster (security) | 1.0.2-2+deb10u1 | fixed |
| bullseye (security), bullseye | 1.0.2-4.1+deb11u1 | fixed |
| python2.7 (PTS) | jessie, jessie (lts) | 2.7.9-2-ds1-1+deb8u12 | fixed |
| stretch (security) | 2.7.13-2+deb9u6 | fixed |
| stretch (lts), stretch | 2.7.13-2+deb9u9 | fixed |
| buster | 2.7.16-2+deb10u1 | fixed |
| buster (security) | 2.7.16-2+deb10u4 | fixed |
| bullseye | 2.7.18-8+deb11u1 | fixed |
| python3.4 (PTS) | jessie, jessie (lts) | 3.4.2-1+deb8u17 | fixed |
| python3.5 (PTS) | stretch (security) | 3.5.3-1+deb9u5 | fixed |
| stretch (lts), stretch | 3.5.3-1+deb9u9 | fixed |
| python3.7 (PTS) | buster | 3.7.3-2+deb10u3 | vulnerable |
| buster (security) | 3.7.3-2+deb10u7 | fixed |
| python3.9 (PTS) | bullseye | 3.9.2-1 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
- python2.7 <not-affected> (Vulnerable code introduced later)
[buster] - pypy3 <not-affected> (Vulnerable code not present before we switch to the 3.6 branch in 7.1.1+dfsg-1)
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
https://mouha.be/sha-3-buffer-overflow/
PHP Bug: https://bugs.php.net/bug.php?id=81738
PHP fixed in: 7.4.33, 8.0.25, 8.1.12
For PHP, introduced in: https://github.com/php/php-src/commit/91663a92d1697fc30a7ba4687d73e0f63ec2baa1 (php-7.2.0alpha1)
Fixed by: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd (php-8.2.0RC5)
https://github.com/python/cpython/issues/98517
https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (v3.10.9)
https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (v3.9.16)
https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (v3.8.16)
https://github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (v3.7.16)
For Python, introduced in: https://github.com/python/cpython/commit/6fe2a75b645044ca2b5dac03e8d850567b547a9a (3.6)
Versions which have the OpenSSL sha3 delegation are not affected by the issue and only ship
source-wise the bundled _sha3 XKCP module code.
OpenSSL sha3 delegation added in https://github.com/python/cpython/commit/d5b3f6b7f9fc74438009af63f1de01bd77be9385 (v3.9.0b1)
https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html
pypy3 fix: https://foss.heptapod.net/pypy/pypy/-/commit/860b897b2611a4099ef9c63ce848fdec89c74b31
- php5 <not-affected> (Vulnerable code introduced later)
- php7.0 <not-affected> (Vulnerable code introduced later)
- python3.4 <not-affected> (Vulnerable code introduced later)
- python3.5 <not-affected> (Vulnerable code introduced later)