Hi! https://eprint.iacr.org/2023/331
says "This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak [...] It affects all software projects that have integrated this code, [...]. The vulnerability is a buffer overflow that allows attacker-controlled values to be eXclusive-ORed (XORed) into memory (without any restrictions on values to be XORed and even far beyond the location of the original buffer), thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective." I looked for SHA 3 and keccak and found at least the following hits in our tree: common/lib/libc/hash/sha3/sha3.c crypto/external/bsd/openssl/dist/crypto/evp/m_sha3.c crypto/external/bsd/openssl/dist/crypto/sha/asm/ crypto/external/bsd/openssl/dist/crypto/sha/keccak1600.c crypto/external/bsd/openssl/dist/crypto/evp/m_sha3.c crypto/external/bsd/openssl.old/... external/public-domain/sqlite/dist/shell.c Has anyone investigated if NetBSD is affected and how often? Thomas
