Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2022-37454

Source

Debian Bug report logs - #1023030
pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?

Package: src:pysha3; Maintainer for src:pysha3 is Ben Finney <bignose@debian.org>;

Reported by: Stefano Rivera <stefanor@debian.org>

Date: Sat, 29 Oct 2022 12:03:02 UTC

Severity: grave

Tags: security, upstream

Found in versions pysha3/1.0.2-2, pysha3/1.0.2-4.1, pysha3/1.0.2-4.2

Forwarded to https://github.com/tiran/pysha3/issues/29

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ben Finney <bignose@debian.org>:
Bug#1023030; Package src:pysha3. (Sat, 29 Oct 2022 12:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Stefano Rivera <stefanor@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ben Finney <bignose@debian.org>. (Sat, 29 Oct 2022 12:03:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: pysha3
Version: 1.0.2-4.2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Forwarded: https://github.com/tiran/pysha3/issues/29

pysha3 is affected by CVE-2022-37454, a security issue in Keccak
See: https://github.com/python/cpython/issues/98517
https://mouha.be/sha-3-buffer-overflow/

This is a backport module to bring a feature from Python 3.6 back to
older versions.

It seems very dead upstream, should we just remove it from the archive?

There is currently one reverse-dependency, python-opentimestamps, and I
think we can trivially migrate that to use hashlib.

SR

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <bignose@debian.org>:
Bug#1023030; Package src:pysha3. (Sat, 29 Oct 2022 12:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ben Finney <bignose@debian.org>. (Sat, 29 Oct 2022 12:39:05 GMT) (full text, mbox, link).

Message #10 received at 1023030@bugs.debian.org (full text, mbox, reply):

Hi Stefano,

On Sat, Oct 29, 2022 at 01:58:48PM +0200, Stefano Rivera wrote:
> Source: pysha3
> Version: 1.0.2-4.2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> Forwarded: https://github.com/tiran/pysha3/issues/29
> 
> pysha3 is affected by CVE-2022-37454, a security issue in Keccak
> See: https://github.com/python/cpython/issues/98517
> https://mouha.be/sha-3-buffer-overflow/
> 
> This is a backport module to bring a feature from Python 3.6 back to
> older versions.
> 
> It seems very dead upstream, should we just remove it from the archive?
> 
> There is currently one reverse-dependency, python-opentimestamps, and I
> think we can trivially migrate that to use hashlib.

Probably a good idea, if we can have that happen in time for bookworm.
Will you work on the reverse dependency to make it possible and then
request the removal for src:pysha3?

Regards,
Salvatore

Marked as found in versions pysha3/1.0.2-4.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 29 Oct 2022 12:45:05 GMT) (full text, mbox, link).

Marked as found in versions pysha3/1.0.2-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 29 Oct 2022 12:45:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <bignose@debian.org>:
Bug#1023030; Package src:pysha3. (Sat, 29 Oct 2022 13:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to stefanor@debian.org:
Extra info received and forwarded to list. Copy sent to Ben Finney <bignose@debian.org>. (Sat, 29 Oct 2022 13:09:05 GMT) (full text, mbox, link).

Message #19 received at 1023030@bugs.debian.org (full text, mbox, reply):

Hi Salvatore (2022.10.29_12:34:35_+0000)
> Probably a good idea, if we can have that happen in time for bookworm.
> Will you work on the reverse dependency to make it possible and then
> request the removal for src:pysha3?

Reverse dependency fixed, I'll file for RM now.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Oct 29 13:24:18 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?

Debian Bug report logs - #1023030
pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?

Vulmon Search

About

Products

Connect

pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?

Debian Bug report logs - #1023030 pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?

Vulmon Search

About

Products

Connect

Debian Bug report logs - #1023030
pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?