Buffer overflow in the _sha3 module in Python 3.10 and older

CVE-2022-37454 affects Python versions prior to 3.11. The fix discussed in XKCP’s advisory can be adapted to these versions. The discoverer’s writeup contains code that might be turned into regression tests.

Python 3.11 is not affected: Python 3.11 switched to using tiny_sha3 in issue GH-91254.

The XKCP vulnerability has been found by Nicky Mouha.

Dates:

  • Disclosure date: 2022-10-21 (Python issue gh-98517 reported)

Vulnerable Versions

  • Python 3.10 (need release)
  • Python 3.7 (need release)
  • Python 3.8 (need release)
  • Python 3.9 (need release)

Python issue

[CVE-2022-37454] Buffer overflow in the _sha3 module in python versions <= 3.10.

  • Python issue: gh-98517
  • Creation date: 2022-10-21
  • Reporter: botovq

CVE-2022-37454

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Timeline

Timeline using the disclosure date 2022-10-21 as reference: