Over the past few months, I’ve been coordinating the disclosure of a new vulnerability that I’ve found. Today is the disclosure date, so I am excited that I can finally talk about what I’ve been working on! The vulnerability has been assigned CVE-2022-37454 and bug reports are available for Python, PHP, PyPy, pysha3, SHA3 for Ruby, and XKCP.
The vulnerability impacts the eXtended Keccak Code Package (XKCP), which is the “official” SHA-3 implementation by its designers. It also impacts various projects that have incorporated this code, such as the Python and PHP scripting languages. SHA-3 Buffer Overflow
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer