Update python38 to version 3.8.15 / rev 29 via SR 1032060

https://build.opensuse.org/request/show/1032060 by user mcepl + dimstar_suse - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer overflow in hashlib.sha3_* implementations (originally from the XKCP library).
bmwiedemann · Oct 29, 2022 · 569d100 · 569d100
1 parent 34c2b18
commit 569d100
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 0 deletions.
diff --git a/packages/p/python38/.files b/packages/p/python38/.files
diff --git a/packages/p/python38/.rev b/packages/p/python38/.rev
@@ -575,4 +575,15 @@ Core and Builtins
     <comment></comment>
     <requestid>1031407</requestid>
   </revision>
+  <revision rev="29" vrev="3">
+    <srcmd5>f5d3e39492364c973823fa92d178c3b5</srcmd5>
+    <version>3.8.15</version>
+    <time>1667067369</time>
+    <user>dimstar_suse</user>
+    <comment>- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
+  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
+  overflow in hashlib.sha3_* implementations (originally from the
+  XKCP library).</comment>
+    <requestid>1032060</requestid>
+  </revision>
 </revisionlist>
diff --git a/packages/p/python38/CVE-2022-37454-sha3-buffer-overflow.patch b/packages/p/python38/CVE-2022-37454-sha3-buffer-overflow.patch
@@ -0,0 +1,93 @@
+From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001
+From: Theo Buehler <[email protected]>
+Date: Fri, 21 Oct 2022 21:26:01 +0200
+Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module
+ (GH-98519)
+
+This is a port of the applicable part of XKCP's fix [1] for
+CVE-2022-37454 and avoids the segmentation fault and the infinite
+loop in the test cases published in [2].
+
+[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
+[2]: https://mouha.be/sha-3-buffer-overflow/
+
+Regression test added by: Gregory P. Smith [Google LLC] <[email protected]>
+(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
+
+Co-authored-by: Theo Buehler <[email protected]>
+---
+ Lib/test/test_hashlib.py                                                |    9 ++++++
+ Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst |    1 
+ Modules/_sha3/kcp/KeccakSponge.inc                                      |   15 +++++-----
+ 3 files changed, 18 insertions(+), 7 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+
+--- a/Lib/test/test_hashlib.py
++++ b/Lib/test/test_hashlib.py
+@@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase)
+     def test_case_md5_uintmax(self, size):
+         self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
+
++    @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
++    @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
++    def test_sha3_update_overflow(self, size):
++        """Regression test for gh-98517 CVE-2022-37454."""
++        h = hashlib.sha3_224()
++        h.update(b'\x01')
++        h.update(b'\x01'*0xffff_ffff)
++        self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
++
+     # use the three examples from Federal Information Processing Standards
+     # Publication 180-1, Secure Hash Standard,  1995 April 17
+     # http://www.itl.nist.gov/div897/pubs/fip180-1.htm
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+@@ -0,0 +1 @@
++Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
+--- a/Modules/_sha3/kcp/KeccakSponge.inc
++++ b/Modules/_sha3/kcp/KeccakSponge.inc
+@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc
+     i = 0;
+     curData = data;
+     while(i < dataByteLen) {
+-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
++        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
+ #ifdef SnP_FastLoop_Absorb
+             /* processing full blocks first */
+
+@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc
+         }
+         else {
+             /* normal lane: using the message queue */
+-
+-            partialBlock = (unsigned int)(dataByteLen - i);
+-            if (partialBlock+instance->byteIOIndex > rateInBytes)
++            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                 partialBlock = rateInBytes-instance->byteIOIndex;
++            else
++                partialBlock = (unsigned int)(dataByteLen - i);
+             #ifdef KeccakReference
+             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+             #endif
+@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan
+     i = 0;
+     curData = data;
+     while(i < dataByteLen) {
+-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
++        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
+             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                 SnP_Permute(instance->state);
+                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan
+                 SnP_Permute(instance->state);
+                 instance->byteIOIndex = 0;
+             }
+-            partialBlock = (unsigned int)(dataByteLen - i);
+-            if (partialBlock+instance->byteIOIndex > rateInBytes)
++            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                 partialBlock = rateInBytes-instance->byteIOIndex;
++            else
++                partialBlock = (unsigned int)(dataByteLen - i);
+             i += partialBlock;
+
+             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
diff --git a/packages/p/python38/python38.changes b/packages/p/python38/python38.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Oct 28 19:43:13 UTC 2022 - Matej Cepl <[email protected]>
+
+- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
+  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
+  overflow in hashlib.sha3_* implementations (originally from the
+  XKCP library).
+
 -------------------------------------------------------------------
 Fri Oct 21 10:14:03 UTC 2022 - Matej Cepl <[email protected]>
 

diff --git a/packages/p/python38/python38.spec b/packages/p/python38/python38.spec
@@ -176,6 +176,10 @@ Patch37:        platlibdir-in-sys.patch
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 [email protected]
 # this patch makes things totally awesome
 Patch38:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 [email protected]
+# Fix original buffer overflow
+# Originally from gh#python/cpython#98528
+Patch39:        CVE-2022-37454-sha3-buffer-overflow.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -444,6 +448,7 @@ other applications.
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
+%patch39 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac