Vulnerability CVE-2022-37454: Information

Description

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-37454

Published: Oct. 21, 2022

Modified: May 3, 2023

Error type identifier: CWE-190

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
php7	p10	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-3024-1	309489	Fixed
php7	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7016-1	-	Fixed
php7	c10f1	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-3024-1	309489	Fixed
php7	c9f2	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-3107-1	309490	Fixed
php7-curl	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7017-1	-	Fixed
php7-gd	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7018-1	-	Fixed
php7-intl	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7024-1	-	Fixed
php7-opcache	p10_e2k	7.4.33-alt1.2	7.4.33-alt1.2	ALT-PU-2022-7025-1	-	Fixed
php7-openssl	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7019-1	-	Fixed
php7-pdo_mysql	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7020-1	-	Fixed
php7-pgsql	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7021-1	-	Fixed
php7-tidy	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7027-1	-	Fixed
php7-xmlrpc	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7026-1	-	Fixed
php7-xsl	p10_e2k	7.4.33-alt1.1	7.4.33-alt1.1	ALT-PU-2022-7023-1	-	Fixed
php7-zip	p10_e2k	7.4.33-alt1	7.4.33-alt1	ALT-PU-2022-7022-1	-	Fixed
php8.0	p10	8.0.25-alt1	8.0.30-alt1	ALT-PU-2022-2986-1	309328	Fixed
php8.0	p10_e2k	8.0.25-alt1	8.0.30-alt1	ALT-PU-2022-6881-1	-	Fixed
php8.0	c10f1	8.0.25-alt1	8.0.30-alt1	ALT-PU-2022-2986-1	309328	Fixed
php8.1	sisyphus	8.1.12-alt1	8.1.28-alt1	ALT-PU-2022-2964-1	309277	Fixed
php8.1	sisyphus_e2k	8.1.12-alt1	8.1.28-alt1	ALT-PU-2022-6838-1	-	Fixed
php8.1	sisyphus_riscv64	8.1.12-alt1	8.1.28-alt1	ALT-PU-2022-6857-1	-	Fixed
php8.1	p10	8.1.12-alt1	8.1.28-alt1	ALT-PU-2022-2988-1	309327	Fixed
php8.1	p10_e2k	8.1.12-alt1	8.1.28-alt1	ALT-PU-2022-6882-1	-	Fixed
php8.1	c10f1	8.1.12-alt1	8.1.28-alt1	ALT-PU-2022-2988-1	309327	Fixed
php8.1	c9f2	8.1.12-alt1	8.1.16-alt1	ALT-PU-2022-3093-1	309712	Fixed
python3	sisyphus	3.11.0-alt1	3.12.2-alt1	ALT-PU-2023-1951-1	311250	Fixed
python3	sisyphus_e2k	3.11.4-alt1	3.12.2-alt1	ALT-PU-2023-3859-1	-	Fixed
python3	sisyphus_riscv64	3.11.0-alt1	3.12.2-alt1	ALT-PU-2023-3923-1	-	Fixed
python3	p10	3.9.16-alt1	3.9.18-alt1	ALT-PU-2023-1518-1	317117	Fixed
python3	p10_e2k	3.9.16-alt1	3.9.18-alt1	ALT-PU-2023-3007-1	-	Fixed
python3	p9	3.7.17-alt1	3.7.17-alt1	ALT-PU-2024-2598-2	340935	Fixed
python3	c10f1	3.9.16-alt1	3.9.18-alt0.c10f1.1	ALT-PU-2023-1518-1	317117	Fixed
python3	c9f2	3.7.17-alt1	3.7.17-alt1	ALT-PU-2024-3474-2	342077	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://news.ycombinator.com/item?id=33281106	Issue Tracking Third Party Advisory
https://csrc.nist.gov/projects/hash-functions/sha-3-project	Third Party Advisory US Government Resource
https://mouha.be/sha-3-buffer-overflow/	Exploit Third Party Advisory
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658	Patch Third Party Advisory
[debian-lts-announce] 20221031 [SECURITY] [DLA 3174-1] pysha3 security update	Mailing List Third Party Advisory
[debian-lts-announce] 20221101 [SECURITY] [DLA 3175-1] python3.7 security update	Mailing List Third Party Advisory
DSA-5267	Third Party Advisory
DSA-5269	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/	Mailing List Third Party Advisory
https://eprint.iacr.org/2023/331
https://news.ycombinator.com/item?id=35050307
https://security.gentoo.org/glsa/202305-02

Affected configurations:
1. Configuration 1
  cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
  Start including
  7.2.0
  End excliding
  7.4.33
  cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
  Start including
  8.1.0
  End excliding
  8.1.12
  cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
  Start including
  8.0.0
  End excliding
  8.0.25
  
  Configuration 5
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.6.0
  End excliding
  3.7.16
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.10.0
  End excliding
  3.10.9
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.9.0
  End excliding
  3.9.16
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.8.0
  End excliding
  3.8.16
  
  Configuration 6
  cpe:2.3:a:sha3_project:sha3:*:*:*:*:*:ruby:*:*
  End excliding
  1.0.5
  
  Configuration 7
  cpe:2.3:a:pysha3_project:pysha3:*:*:*:*:*:*:*:*
  
  Configuration 8
  cpe:2.3:a:pypy:pypy:*:*:*:*:*:*:*:*
  Start including
  7.0.0

Version: v24.5.0

Vulnerability CVE-2022-37454: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7

Configuration 8