tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
SHA3 implementation problem
Hi!
https://eprint.iacr.org/2023/331
says
"This paper describes a vulnerability in several implementations of
the Secure Hash Algorithm 3 (SHA-3) that have been released by its
designers. The vulnerability has been present since the final-round
update of Keccak [...] It affects all software projects that have
integrated this code, [...]. The vulnerability is a buffer overflow
that allows attacker-controlled values to be eXclusive-ORed (XORed)
into memory (without any restrictions on values to be XORed and even
far beyond the location of the original buffer), thereby making many
standard protection measures against buffer overflows (e.g., canary
values) completely ineffective."
I looked for SHA 3 and keccak and found at least the following hits in
our tree:
common/lib/libc/hash/sha3/sha3.c
crypto/external/bsd/openssl/dist/crypto/evp/m_sha3.c
crypto/external/bsd/openssl/dist/crypto/sha/asm/
crypto/external/bsd/openssl/dist/crypto/sha/keccak1600.c
crypto/external/bsd/openssl/dist/crypto/evp/m_sha3.c
crypto/external/bsd/openssl.old/...
external/public-domain/sqlite/dist/shell.c
Has anyone investigated if NetBSD is affected and how often?
Thomas
Home |
Main Index |
Thread Index |
Old Index