Search for packages
| purl | pkg:deb/debian/pysha3@1.0.2-2 |
| Next non-vulnerable version | 1.0.2-4.1+deb11u1 |
| Latest non-vulnerable version | 1.0.2-4.1+deb11u1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ewbq-2gm8-tyf5
Aliases: CVE-2022-37454 GHSA-6w4m-2xhg-2658 |
Buffer overflow in sponge queue functions ### Impact The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. ### Patches Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a). ### Workarounds The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether. ### References See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T00:48:35.407305+00:00 | Debian Oval Importer | Affected by | VCID-ewbq-2gm8-tyf5 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.4.0 |
| 2026-04-12T00:21:06.266958+00:00 | Debian Oval Importer | Affected by | VCID-ewbq-2gm8-tyf5 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.3.0 |
| 2026-04-08T23:51:50.204426+00:00 | Debian Oval Importer | Affected by | VCID-ewbq-2gm8-tyf5 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.1.0 |