That is good to hear as it touches many things. Thanks for letting me know.
Job
-Original Message-
From: Tomas Mraz
Sent: Monday, October 24, 2022 1:58 AM
To: Job Cacka ; openssl-users@openssl.org
Subject: Re: CVE-2022-37454 SHA-3 buffer overflow
The implementation of SHA-3 in
The implementation of SHA-3 in OpenSSL is different from the vulnerable
one. There is a plain C implementation and also assembly implementation
for various CPU architectures. See crypto/sha/keccak1600.c and
crypto/sha/asm/keccak1600*.pl. None of these should suffer from the
CVE-2022-37454.
The SHA
This is probably more difficult to exploit than I thought in my first read
through.
Workarounds
The problem can be avoided by limiting the size of the partial input data
(or partial output digest) below 2^32 - 200 bytes. Multiple calls to the
queue system can be chained at a higher level to r
