CVE-2022-37454 – XKCP: buffer overflow in the SHA-3 reference implementation

https://notcve.org/view.php?id=CVE-2022-37454

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. La implementación de referencia de Keccak XKCP SHA-3 versiones anteriores a fdc6fef, presenta un desbordamiento de enteros y un desbordamiento de búfer resultante que permite a atacantes ejecutar código arbitrario o eliminar las propiedades criptográficas esperadas. Esto ocurre en la interfaz de la función sponge A flaw was found in the Keccak XKCP SHA-3 reference implementation. The sponge function interface allows partial input data to be processed, and partial output to be produced. • https://csrc.nist.gov/projects/hash-functions/sha-3-project https://eprint.iacr.org/2023/331 https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org&# • CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow •