Mailing List Archive

[CVE-2022-37454] SHA3 vulnerability and upcoming Python patches for 3.7 - 3.10
I’m looking for help understanding how Python will release fixes related to the SHA3 critical security vulnerability (CVE-2022-37454). I’ve tried to figure this out myself, but I’m far from a Python expert and I’m not sure where else I should look.

Apologies in advance if this is the wrong place to ask - if it is, a redirect to the correct place would be most appreciated.

Here’s what I’ve found so far:

* Python versions 3.6 through 3.10 appear to be affected
* 3.6 is end of life, so no fix is expected
* A code fix appears to have been applied to 3.7 through 3.10 https://github.com/python/cpython/issues/98517
* 3.9 and 3.10 by default use OpenSSL1.1.1+ if it’s available, appearing to default to the builtin, vulnerable SHA3 implementation if OpenSSL is not found (if there’s an exception)
* 3.9 introduced this change via bpo-37630 in release 3.9.0 beta1
* 3.10 appears to have had this functionality since it was originally released
* 3.11 uses tiny_sha3 and AFAICT was never affected by the CVE

But what I’m having trouble figuring out is when/how these fixes will become generally available and ready for users of Python to download.


* When will patched releases for Python 3.7-3.10 be released?
* If pending releases are not in the release pipeline, what other patching opportunities exist?

Ultimately I’m trying to set patching expectations for my company’s engineering teams who are still running vulnerable versions of Python.

More notes around what i’ve found, in case it helps clarify my questions: From the Python project GitHub I can see gh-98517 to fix the buffer overflow in Python’s internal _sha3 module (CVE-2022-37454) has been committed to the Python 3.7 - 3.10 branches. I understand that for Python releases 3.9 and 3.10 if one is using the OpenSSL 1.1.1+ sha3 modules instead of the internal _sha3 module that is already a mitigation. I also understand that Python 3.11 and later has switched to using tiny_sha3, and no longer relies on the vulnerable _sha3 module.

Any information you could point me at would be most helpful. If there is a more ideal forum to raise this question, please redirect me there.

Thank you in advance
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/K7IYZUGOOLCGKZOLCZ27RSWZ7OWIP575/
Code of Conduct: http://python.org/psf/codeofconduct/
Re: [CVE-2022-37454] SHA3 vulnerability and upcoming Python patches for 3.7 - 3.10 [ In reply to ]
The patches to 3.6-3.10 have been merged, which means they will go out in
the next Python patch release for those updates. ie:
https://github.com/python/cpython/issues/98517

You can see the planned schedule of those on
https://peps.python.org/pep-0619/ and related similar peps for older
python versions (i never remember pep numbers, i just google for "python
3.8 release schedule" to get to such a PEP myself). For 3.9 and earlier
which are in "as-needed" security mode and no longer ship binaries I expect
we'll get to it within the next month. The patches are public and anyone
can apply them on their own. We've got other fixes for other issues coming,
so rolling one source only security release for every single issue isn't a
great use of time.

I personally didn't feel this one was urgent enough to ask anyone to spend
time doing an emergency security release as triggering the crash requires
someone sending a multi-gigabyte amount of data into a sha3 hash function
in a single .update() method call. That seems like a rare code pattern. How
many applications ever do that vs doing I/O in smaller chunks with more
frequent .update() calls?

Linux or other OS distros that bundle Python manage their own patches to
their runtimes and their security folks may need to be reminded to pick
these patches up if they have not already done so. Their schedules are
independent, they're likely to rapidly patch anything they agree with as
being a security issue. Distros are also likely the only ones who would
apply a backport to 3.6. Anything shipping Python <=3.8 or earlier *should*
have an interest in patching.

fwiw the forum I would've used for this is the github issue itself as that
is the canonical discussion.

-gps

On Mon, Nov 7, 2022 at 11:52 AM mark_topham--- via Python-Dev <
python-dev@python.org> wrote:

> I’m looking for help understanding how Python will release fixes related
> to the SHA3 critical security vulnerability (CVE-2022-37454). I’ve tried
> to figure this out myself, but I’m far from a Python expert and I’m not
> sure where else I should look.
>
> Apologies in advance if this is the wrong place to ask - if it is, a
> redirect to the correct place would be most appreciated.
>
> Here’s what I’ve found so far:
>
> * Python versions 3.6 through 3.10 appear to be affected
> * 3.6 is end of life, so no fix is expected
> * A code fix appears to have been applied to 3.7 through 3.10
> https://github.com/python/cpython/issues/98517
> * 3.9 and 3.10 by default use OpenSSL1.1.1+ if it’s available,
> appearing to default to the builtin, vulnerable SHA3 implementation if
> OpenSSL is not found (if there’s an exception)
> * 3.9 introduced this change via bpo-37630 in release 3.9.0 beta1
> * 3.10 appears to have had this functionality since it was
> originally released
> * 3.11 uses tiny_sha3 and AFAICT was never affected by the CVE
>
> But what I’m having trouble figuring out is when/how these fixes will
> become generally available and ready for users of Python to download.
>
>
> * When will patched releases for Python 3.7-3.10 be released?
> * If pending releases are not in the release pipeline, what other patching
> opportunities exist?
>
> Ultimately I’m trying to set patching expectations for my company’s
> engineering teams who are still running vulnerable versions of Python.
>
> More notes around what i’ve found, in case it helps clarify my questions:
> From the Python project GitHub I can see gh-98517 to fix the buffer
> overflow in Python’s internal _sha3 module (CVE-2022-37454) has been
> committed to the Python 3.7 - 3.10 branches. I understand that for Python
> releases 3.9 and 3.10 if one is using the OpenSSL 1.1.1+ sha3 modules
> instead of the internal _sha3 module that is already a mitigation. I also
> understand that Python 3.11 and later has switched to using tiny_sha3, and
> no longer relies on the vulnerable _sha3 module.
>
> Any information you could point me at would be most helpful. If there is
> a more ideal forum to raise this question, please redirect me there.
>
> Thank you in advance
> _______________________________________________
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-leave@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/K7IYZUGOOLCGKZOLCZ27RSWZ7OWIP575/
> Code of Conduct: http://python.org/psf/codeofconduct/
>
Re: [CVE-2022-37454] SHA3 vulnerability and upcoming Python patches for 3.7 - 3.10 [ In reply to ]
El lun, 7 nov 2022 a las 12:28, Gregory P. Smith (<greg@krypto.org>)
escribió:

>
> You can see the planned schedule of those on
> https://peps.python.org/pep-0619/ and related similar peps for older
> python versions (i never remember pep numbers, i just google for "python
> 3.8 release schedule" to get to such a PEP myself).
>
> You can now also use https://peps.python.org/topic/release/ to get all
the release schedule PEPs.
Re: [CVE-2022-37454] SHA3 vulnerability and upcoming Python patches for 3.7 - 3.10 [ In reply to ]
On Nov 7, 2022, at 15:26, Gregory P. Smith <greg@krypto.org> wrote:
> The patches to 3.6-3.10 have been merged, which means they will go out in the next Python patch release for those updates. ie: https://github.com/python/cpython/issues/98517\\

I believe Greg meant to type "3.7-3.10", since as noted earlier 3.6 has reached end-of-life. (Of course, downstream distributors of Python 3.6 could choose to provide a patch for 3.6 for their users.)

--
Ned Deily
nad@python.org -- []

_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/WBQBZJMYL5UPBDVCEMPIAOBUBWSHOZLE/
Code of Conduct: http://python.org/psf/codeofconduct/
Re: [CVE-2022-37454] SHA3 vulnerability and upcoming Python patches for 3.7 - 3.10 [ In reply to ]
On 07Nov2022 12:26, Gregory P. Smith <greg@krypto.org> wrote:
>I personally didn't feel this one was urgent enough to ask anyone to
>spend
>time doing an emergency security release as triggering the crash requires
>someone sending a multi-gigabyte amount of data into a sha3 hash function
>in a single .update() method call. That seems like a rare code pattern. How
>many applications ever do that vs doing I/O in smaller chunks with more
>frequent .update() calls?

As it happens I'm doing some work for a media archiving company and
we're looking at recording checksums for archived files. I _may_ well be
choosing to mmap a file and calling .update() on the mapping in one go.

That said, that's (a) niche and (b) not even written yet.

I think I'd still agree that this might be a nonurgent fix (haven't read
the CVE properly yet).

Cheers,
Cameron Simpson <cs@cskk.id.au>
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/AOBBVHKUAFXSY3D6T5OK53PFB44ZWY4N/
Code of Conduct: http://python.org/psf/codeofconduct/
Re: [CVE-2022-37454] SHA3 vulnerability and upcoming Python patches for 3.7 - 3.10 [ In reply to ]
Thank you all for your responses!

Best,
Mark
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/WWVXPV5BOFOHE6ENRNSLZAQAP22E5ZLK/
Code of Conduct: http://python.org/psf/codeofconduct/