CVE-2022-37454

NameCVE-2022-37454
DescriptionThe Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3174-1, DLA-3175-1, DLA-3243-1, DSA-5267-1, DSA-5269-1, DSA-5277-1
Debian Bugs1023030

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)jessie, jessie (lts)5.6.40+dfsg-0+deb8u21fixed
php7.0 (PTS)stretch (security)7.0.33-0+deb9u12fixed
stretch (lts), stretch7.0.33-0+deb9u19fixed
php7.3 (PTS)buster, buster (lts)7.3.31-1~deb10u8fixed
buster (security)7.3.31-1~deb10u7fixed
php7.4 (PTS)bullseye7.4.33-1+deb11u5fixed
bullseye (security)7.4.33-1+deb11u7fixed
pypy (PTS)jessie2.4.0+dfsg-3fixed
stretch5.6.0+dfsg-4fixed
buster7.0.0+dfsg-3fixed
bullseye7.3.3+dfsg-2fixed
pypy3 (PTS)buster7.0.0+dfsg-3fixed
bullseye7.3.5+dfsg-2+deb11u2fixed
bullseye (security)7.3.5+dfsg-2+deb11u4fixed
bookworm7.3.11+dfsg-2+deb12u2fixed
sid, trixie7.3.17+dfsg-3fixed
pysha3 (PTS)buster (security), buster, buster (lts)1.0.2-2+deb10u1fixed
bullseye (security), bullseye1.0.2-4.1+deb11u1fixed
python2.7 (PTS)jessie, jessie (lts)2.7.9-2-ds1-1+deb8u12fixed
stretch (security)2.7.13-2+deb9u6fixed
stretch (lts), stretch2.7.13-2+deb9u9fixed
buster (security), buster, buster (lts)2.7.16-2+deb10u4fixed
bullseye2.7.18-8+deb11u1fixed
python3.4 (PTS)jessie, jessie (lts)3.4.2-1+deb8u19fixed
python3.5 (PTS)stretch (security)3.5.3-1+deb9u5fixed
stretch (lts), stretch3.5.3-1+deb9u11fixed
python3.7 (PTS)buster, buster (lts)3.7.3-2+deb10u9fixed
buster (security)3.7.3-2+deb10u7fixed
python3.9 (PTS)bullseye3.9.2-1vulnerable
bullseye (security)3.9.2-1+deb11u2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5source(unstable)(not affected)
php7.0source(unstable)(not affected)
php7.3sourcebuster7.3.31-1~deb10u2DLA-3243-1
php7.3source(unstable)(unfixed)
php7.4sourcebullseye7.4.33-1+deb11u1DSA-5277-1
php7.4source(unstable)(unfixed)
php8.1source(unstable)8.1.12-1
pypysource(unstable)(not affected)
pypy3sourcebuster(not affected)
pypy3sourcebullseye7.3.5+dfsg-2+deb11u2DSA-5269-1
pypy3source(unstable)7.3.9+dfsg-5
pysha3sourcebuster1.0.2-2+deb10u1DLA-3174-1
pysha3sourcebullseye1.0.2-4.1+deb11u1DSA-5267-1
pysha3source(unstable)1.0.2-51023030
python2.7source(unstable)(not affected)
python3.10source(unstable)3.10.9-1unimportant
python3.4source(unstable)(not affected)
python3.5source(unstable)(not affected)
python3.7sourcebuster3.7.3-2+deb10u4DLA-3175-1
python3.7source(unstable)(unfixed)
python3.9source(unstable)(unfixed)unimportant

Notes

- python2.7 <not-affected> (Vulnerable code introduced later)
[buster] - pypy3 <not-affected> (Vulnerable code not present before we switch to the 3.6 branch in 7.1.1+dfsg-1)
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
https://mouha.be/sha-3-buffer-overflow/
PHP Bug: https://bugs.php.net/bug.php?id=81738
PHP fixed in: 7.4.33, 8.0.25, 8.1.12
For PHP, introduced in: https://github.com/php/php-src/commit/91663a92d1697fc30a7ba4687d73e0f63ec2baa1 (php-7.2.0alpha1)
Fixed by: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd (php-8.2.0RC5)
https://github.com/python/cpython/issues/98517
https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (v3.10.9)
https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (v3.9.16)
https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (v3.8.16)
https://github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (v3.7.16)
For Python, introduced in: https://github.com/python/cpython/commit/6fe2a75b645044ca2b5dac03e8d850567b547a9a (3.6)
Versions which have the OpenSSL sha3 delegation are not affected by the issue and only ship
source-wise the bundled _sha3 XKCP module code.
OpenSSL sha3 delegation added in https://github.com/python/cpython/commit/d5b3f6b7f9fc74438009af63f1de01bd77be9385 (v3.9.0b1)
https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html
pypy3 fix: https://foss.heptapod.net/pypy/pypy/-/commit/860b897b2611a4099ef9c63ce848fdec89c74b31
- php5 <not-affected> (Vulnerable code introduced later)
- php7.0 <not-affected> (Vulnerable code introduced later)
- pypy <not-affected> (Vulnerable code introduced later)
- python3.4 <not-affected> (Vulnerable code introduced later)
- python3.5 <not-affected> (Vulnerable code introduced later)

Search for package or bug name: Reporting problems