Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python38 for openSUSE:Factory checked in at 2022-10-29 20:16:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python38 (Old) and /work/SRC/openSUSE:Factory/.python38.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python38" Sat Oct 29 20:16:09 2022 rev:29 rq:1032060 version:3.8.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python38/python38.changes 2022-10-28 19:28:35.806350432 +0200 +++ /work/SRC/openSUSE:Factory/.python38.new.2275/python38.changes 2022-10-29 20:17:11.606238377 +0200 @@ -1,0 +2,8 @@ +Fri Oct 28 19:43:13 UTC 2022 - Matej Cepl <[email protected]> + +- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix + bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer + overflow in hashlib.sha3_* implementations (originally from the + XKCP library). + +------------------------------------------------------------------- New: ---- CVE-2022-37454-sha3-buffer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python38.spec ++++++ --- /var/tmp/diff_new_pack.1SYCzc/_old 2022-10-29 20:17:12.546243386 +0200 +++ /var/tmp/diff_new_pack.1SYCzc/_new 2022-10-29 20:17:12.550243407 +0200 @@ -176,6 +176,10 @@ # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 [email protected] # this patch makes things totally awesome Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch +# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 [email protected] +# Fix original buffer overflow +# Originally from gh#python/cpython#98528 +Patch39: CVE-2022-37454-sha3-buffer-overflow.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -444,6 +448,7 @@ %patch36 -p1 %patch37 -p1 %patch38 -p1 +%patch39 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2022-37454-sha3-buffer-overflow.patch ++++++ >From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001 From: Theo Buehler <[email protected]> Date: Fri, 21 Oct 2022 21:26:01 +0200 Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <[email protected]> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <[email protected]> --- Lib/test/test_hashlib.py | 9 ++++++ Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 Modules/_sha3/kcp/KeccakSponge.inc | 15 +++++----- 3 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase) def test_case_md5_uintmax(self, size): self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') + @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') + @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) + def test_sha3_update_overflow(self, size): + """Regression test for gh-98517 CVE-2022-37454.""" + h = hashlib.sha3_224() + h.update(b'\x01') + h.update(b'\x01'*0xffff_ffff) + self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') + # use the three examples from Federal Information Processing Standards # Publication 180-1, Secure Hash Standard, 1995 April 17 # http://www.itl.nist.gov/div897/pubs/fip180-1.htm --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst @@ -0,0 +1 @@ +Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). --- a/Modules/_sha3/kcp/KeccakSponge.inc +++ b/Modules/_sha3/kcp/KeccakSponge.inc @@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc i = 0; curData = data; while(i < dataByteLen) { - if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { + if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { #ifdef SnP_FastLoop_Absorb /* processing full blocks first */ @@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc } else { /* normal lane: using the message queue */ - - partialBlock = (unsigned int)(dataByteLen - i); - if (partialBlock+instance->byteIOIndex > rateInBytes) + if (dataByteLen-i > rateInBytes-instance->byteIOIndex) partialBlock = rateInBytes-instance->byteIOIndex; + else + partialBlock = (unsigned int)(dataByteLen - i); #ifdef KeccakReference displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); #endif @@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan i = 0; curData = data; while(i < dataByteLen) { - if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { + if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { SnP_Permute(instance->state); SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); @@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan SnP_Permute(instance->state); instance->byteIOIndex = 0; } - partialBlock = (unsigned int)(dataByteLen - i); - if (partialBlock+instance->byteIOIndex > rateInBytes) + if (dataByteLen-i > rateInBytes-instance->byteIOIndex) partialBlock = rateInBytes-instance->byteIOIndex; + else + partialBlock = (unsigned int)(dataByteLen - i); i += partialBlock; SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
