The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
integer overflow and resultant buffer overflow that allows attackers to
execute arbitrary code or eliminate expected cryptographic properties. This
occurs in the sponge function interface.
Author | Note |
---|---|
sbeattie | PEAR issues should go against php-pear as of xenial |
rodrigo-zaiden | PHP includes Keccak code for sha3 starting from php7.2 |
leosilva | in PHP it was introduced in 91663a92d1697fc30a7ba4687d73e0f63ec2baa1 php-7.2.0alpha1 |
mdeslaur | Python 3.11 switched to using tiny_sha3, so not affected. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | php7.2 | < 7.2.24-0ubuntu0.18.04.15 | UNKNOWN |
ubuntu | 20.04 | noarch | php7.4 | < 7.4.3-4ubuntu2.15 | UNKNOWN |
ubuntu | 22.04 | noarch | php8.1 | < 8.1.2-1ubuntu2.8 | UNKNOWN |
ubuntu | 22.10 | noarch | php8.1 | < 8.1.7-1ubuntu3.1 | UNKNOWN |
ubuntu | 23.04 | noarch | php8.1 | < 8.1.12-1ubuntu2 | UNKNOWN |
ubuntu | 20.04 | noarch | pypy3 | < 7.3.1+dfsg-4ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | pypy3 | < 7.3.9+dfsg-1ubuntu0.1 | UNKNOWN |
ubuntu | 18.04 | noarch | pysha3 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | pysha3 | < 1.0.2-4ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | pysha3 | < 1.0.2-4.2ubuntu0.22.04.1 | UNKNOWN |
csrc.nist.gov/projects/hash-functions/sha-3-project
github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd
github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (3.10-branch)
github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (3.7-branch)
github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (3.9-branch)
github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (3.8-branch)
github.com/python/cpython/issues/98517
github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
launchpad.net/bugs/cve/CVE-2022-37454
mouha.be/sha-3-buffer-overflow/
news.ycombinator.com/item?id=33281106
nvd.nist.gov/vuln/detail/CVE-2022-37454
security-tracker.debian.org/tracker/CVE-2022-37454
ubuntu.com/security/notices/USN-5717-1
ubuntu.com/security/notices/USN-5767-1
ubuntu.com/security/notices/USN-5767-3
ubuntu.com/security/notices/USN-5888-1
ubuntu.com/security/notices/USN-5930-1
ubuntu.com/security/notices/USN-5931-1
ubuntu.com/security/notices/USN-6524-1
ubuntu.com/security/notices/USN-6525-1
www.cve.org/CVERecord?id=CVE-2022-37454