From 569d100b185b50db8659db1b56721952d0b1a783 Mon Sep 17 00:00:00 2001 From: mcepl <> Date: Sat, 29 Oct 2022 18:16:10 +0000 Subject: [PATCH] Update python38 to version 3.8.15 / rev 29 via SR 1032060 https://build.opensuse.org/request/show/1032060 by user mcepl + dimstar_suse - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer overflow in hashlib.sha3_* implementations (originally from the XKCP library). --- packages/p/python38/.files | Bin 2409 -> 2488 bytes packages/p/python38/.rev | 11 +++ .../CVE-2022-37454-sha3-buffer-overflow.patch | 93 ++++++++++++++++++ packages/p/python38/python38.changes | 8 ++ packages/p/python38/python38.spec | 5 + 5 files changed, 117 insertions(+) create mode 100644 packages/p/python38/CVE-2022-37454-sha3-buffer-overflow.patch diff --git a/packages/p/python38/.files b/packages/p/python38/.files index f2be103ff867659207cdfb5ae3b0c9f6c69218cb..28780689d8fa92e7b1055ed479f73b145858a390 100644 GIT binary patch delta 298 zcmX}mJ4ypV9DwnCWKC28K~G>KSZtWb&g_h!1YZOcwX(30*?G7~$S&E$Ac&oP!r$JM zIe>_zoyV}%D_9vD5Ac2bzSrK?SIcUMqLt9|yiEuK0U!PjG<^yaKZTBeK7Bu(9^5C^ z34zm;Cmd5_kjR`wDv?~sOj(`sMcyj!hI!GaqOEh)zqS?d+6~OZ35-JwKf%L^la%4q zC5$U-q(g?_3`vbK5>^nocx>%o9L59@64NwcNnGWM#@Wa@JBW*0J8->X+%DBn=kO97 z!DE17J2-|`{R}RbUg0z9VoDj}j*CnSjgWIjAYvF>fEiPo{7IYt(yFu?s;CE@h{3Ej YgN@}bd^IG@8+$+-BY3Vq!Bu_t7Z7DyQUCw| delta 219 zcmdlX{8GrVpt!_EG5k-(a16>E!E82&@3q} z5vWR_pt2+*KhM}gFF7MIFFmz*aw}u~WGhC$iH$}RUj 1031407 + + f5d3e39492364c973823fa92d178c3b5 + 3.8.15 + + dimstar_suse + - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix + bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer + overflow in hashlib.sha3_* implementations (originally from the + XKCP library). + 1032060 + diff --git a/packages/p/python38/CVE-2022-37454-sha3-buffer-overflow.patch b/packages/p/python38/CVE-2022-37454-sha3-buffer-overflow.patch new file mode 100644 index 00000000000..200e2453a45 --- /dev/null +++ b/packages/p/python38/CVE-2022-37454-sha3-buffer-overflow.patch @@ -0,0 +1,93 @@ +From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001 +From: Theo Buehler +Date: Fri, 21 Oct 2022 21:26:01 +0200 +Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module + (GH-98519) + +This is a port of the applicable part of XKCP's fix [1] for +CVE-2022-37454 and avoids the segmentation fault and the infinite +loop in the test cases published in [2]. + +[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a +[2]: https://mouha.be/sha-3-buffer-overflow/ + +Regression test added by: Gregory P. Smith [Google LLC] +(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) + +Co-authored-by: Theo Buehler +--- + Lib/test/test_hashlib.py | 9 ++++++ + Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 + Modules/_sha3/kcp/KeccakSponge.inc | 15 +++++----- + 3 files changed, 18 insertions(+), 7 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst + +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase) + def test_case_md5_uintmax(self, size): + self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') + ++ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') ++ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) ++ def test_sha3_update_overflow(self, size): ++ """Regression test for gh-98517 CVE-2022-37454.""" ++ h = hashlib.sha3_224() ++ h.update(b'\x01') ++ h.update(b'\x01'*0xffff_ffff) ++ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') ++ + # use the three examples from Federal Information Processing Standards + # Publication 180-1, Secure Hash Standard, 1995 April 17 + # http://www.itl.nist.gov/div897/pubs/fip180-1.htm +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst +@@ -0,0 +1 @@ ++Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). +--- a/Modules/_sha3/kcp/KeccakSponge.inc ++++ b/Modules/_sha3/kcp/KeccakSponge.inc +@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc + i = 0; + curData = data; + while(i < dataByteLen) { +- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { ++ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { + #ifdef SnP_FastLoop_Absorb + /* processing full blocks first */ + +@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc + } + else { + /* normal lane: using the message queue */ +- +- partialBlock = (unsigned int)(dataByteLen - i); +- if (partialBlock+instance->byteIOIndex > rateInBytes) ++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) + partialBlock = rateInBytes-instance->byteIOIndex; ++ else ++ partialBlock = (unsigned int)(dataByteLen - i); + #ifdef KeccakReference + displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); + #endif +@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan + i = 0; + curData = data; + while(i < dataByteLen) { +- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { ++ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { + for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { + SnP_Permute(instance->state); + SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); +@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan + SnP_Permute(instance->state); + instance->byteIOIndex = 0; + } +- partialBlock = (unsigned int)(dataByteLen - i); +- if (partialBlock+instance->byteIOIndex > rateInBytes) ++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) + partialBlock = rateInBytes-instance->byteIOIndex; ++ else ++ partialBlock = (unsigned int)(dataByteLen - i); + i += partialBlock; + + SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); diff --git a/packages/p/python38/python38.changes b/packages/p/python38/python38.changes index 4939f1efd9b..e62835522a6 100644 --- a/packages/p/python38/python38.changes +++ b/packages/p/python38/python38.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Oct 28 19:43:13 UTC 2022 - Matej Cepl + +- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix + bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer + overflow in hashlib.sha3_* implementations (originally from the + XKCP library). + ------------------------------------------------------------------- Fri Oct 21 10:14:03 UTC 2022 - Matej Cepl diff --git a/packages/p/python38/python38.spec b/packages/p/python38/python38.spec index 5a54983d8a2..d7e73ecf531 100644 --- a/packages/p/python38/python38.spec +++ b/packages/p/python38/python38.spec @@ -176,6 +176,10 @@ Patch37: platlibdir-in-sys.patch # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com # this patch makes things totally awesome Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch +# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 mcepl@suse.com +# Fix original buffer overflow +# Originally from gh#python/cpython#98528 +Patch39: CVE-2022-37454-sha3-buffer-overflow.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -444,6 +448,7 @@ other applications. %patch36 -p1 %patch37 -p1 %patch38 -p1 +%patch39 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac