Bug 1214691 (CVE-2022-48566) - VUL-0: CVE-2022-48566: python-base,python36,python3,python: Use CRYPTO_memcmp() for compare_digest
Summary: VUL-0: CVE-2022-48566: python-base,python36,python3,python: Use CRYPTO_memcmp...
Status: RESOLVED FIXED
Alias: CVE-2022-48566
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/376070/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-48566:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-28 11:41 UTC by Cathy Hu
Modified: 2024-05-29 20:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-08-28 11:41:58 UTC
CVE-2022-48566

An issue was discovered in compare_digest in Lib/hmac.py in Python through
3.9.1. Constant-time-defeating optimisations were possible in the accumulator
variable in hmac.compare_digest.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48566
https://www.cve.org/CVERecord?id=CVE-2022-48566
https://bugs.python.org/issue40791
Comment 1 Cathy Hu 2023-08-28 11:42:16 UTC
Affected:
- SUSE:SLE-11-SP1:Update/python                                       2.6.9
- SUSE:SLE-11-SP1:Update/python-base                                  2.6.9

- SUSE:SLE-12-SP1:Update/python                                       2.7.18
- SUSE:SLE-12-SP1:Update/python-base                                  2.7.18
- SUSE:SLE-12-SP4:Update/python                                       2.7.18
- SUSE:SLE-12-SP4:Update/python-base                                  2.7.18
- SUSE:SLE-15:Update/python                                           2.7.18
- SUSE:SLE-15:Update/python-base                                      2.7.18
- openSUSE:Factory/python                                             2.7.18

- SUSE:SLE-12:Update/python3                                          3.4.10

- SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36  3.6.15
- SUSE:SLE-12-SP5:Update/python36                           3.6.15

Not affected:
- SUSE:SLE-15-SP3:Update/python39                           3.9.17
- openSUSE:Factory/python39                                 3.9.17

- SUSE:ALP:Source:Standard:1.0/python310                    3.10.10
- SUSE:SLE-15-SP4:Update/python310                          3.10.12
- openSUSE:Factory/python310                                3.10.12

- SUSE:ALP:Source:Standard:1.0/python311                    3.11.2
- SUSE:SLE-15-SP4:Update/python311                          3.11.4
- openSUSE:Factory/python311                                3.11.4
Comment 2 Matej Cepl 2023-09-09 15:20:31 UTC
> - SUSE:SLE-11-SP1:Update/python                                       2.6.9
> - SUSE:SLE-11-SP1:Update/python-base                                  2.6.9

Shouldn’t these be truly wholly completely dead?
https://smelt.suse.de/maintained/?q=python
Comment 3 Matej Cepl 2023-09-09 15:47:47 UTC
Isn’t this problem also for

- SUSE:SLE-15:Update/python3                                          3.6.15

???
Comment 4 Matej Cepl 2023-09-09 15:51:46 UTC
And also

- SUSE:SLE-15-SP3:Update/python3                                          3.6.15
Comment 5 Cathy Hu 2023-09-11 08:42:06 UTC
yes, matej is right, 

these are affected but dont need a fix:
- SUSE:SLE-11-SP1:Update/python                                       2.6.9
- SUSE:SLE-11-SP1:Update/python-base                                  2.6.9

these are also affected:
- SUSE:SLE-15:Update/python3                                          3.6.15
- SUSE:SLE-15-SP3:Update/python3                                          3.6.15

sorry for the mess, there was some issue with my tooling, internally we have this tracked already like this
Comment 6 Matej Cepl 2023-09-16 12:27:24 UTC
these are also affected:
- SUSE:SLE-15:Update/python3                                          3.6.15
- SUSE:SLE-15-SP3:Update/python3                                          3.6.15

No, they are not. The fix in https://github.com/python/cpython/commit/8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a actually is on 3.6.15 branch. I may modify *.changes to include specific mention of it, but I don't think I will do changelog-only changes to our package.
Comment 7 Matej Cepl 2023-09-16 12:32:15 UTC
Actually, I have still Python 2.* and 3.4 to fix.
Comment 8 OBSbugzilla Bot 2023-09-16 23:05:07 UTC
This is an autogenerated message for OBS integration:
This bug (1214691) was mentioned in
https://build.opensuse.org/request/show/1111680 Factory / python
Comment 10 Cathy Hu 2023-09-18 08:45:54 UTC
https://github.com/python/cpython/commit/db5aed931f8a617f7b63e773f62db468fe9c5ca1
is not in 3.6.15, but yeah the other commit should be sufficient.

updated tracking to not affected for 3.6.15
Comment 11 Matej Cepl 2023-09-30 16:45:51 UTC
Remaining SRs submitted.
Comment 13 Maintenance Automation 2023-10-06 16:29:05 UTC
SUSE-SU-2023:4001-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1214685, 1214691
CVE References: CVE-2022-48565, CVE-2022-48566
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-base-2.7.18-33.26.1, python-doc-2.7.18-33.26.1, python-2.7.18-33.26.1
SUSE Linux Enterprise Server 12 SP5 (src): python-base-2.7.18-33.26.1, python-doc-2.7.18-33.26.1, python-2.7.18-33.26.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-base-2.7.18-33.26.1, python-doc-2.7.18-33.26.1, python-2.7.18-33.26.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-base-2.7.18-33.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-10-26 16:30:08 UTC
SUSE-SU-2023:4220-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210638, 1214685, 1214691
CVE References: CVE-2022-48565, CVE-2022-48566, CVE-2023-27043
Sources used:
openSUSE Leap 15.4 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1, python-doc-2.7.18-150000.57.1
openSUSE Leap 15.5 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1, python-doc-2.7.18-150000.57.1
SUSE Package Hub 15 15-SP4 (src): python-base-2.7.18-150000.57.1
SUSE Package Hub 15 15-SP5 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1
SUSE Manager Proxy 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1
SUSE Manager Retail Branch Server 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1
SUSE Manager Server 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2023-11-15 09:45:33 UTC
on sle11 python there is no compare_digest, so callers need to do this on their own.

So this specific CVE does not affect python 2.6 for SLE11.
Comment 18 Maintenance Automation 2024-02-14 16:36:41 UTC
SUSE-SU-2024:0464-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210638, 1214691
CVE References: CVE-2022-48566, CVE-2023-27043
Sources used:
SUSE Linux Enterprise Micro 5.1 (src): python3-core-3.6.15-150000.3.138.1, python3-3.6.15-150000.3.138.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-03-14 20:30:05 UTC
SUSE-SU-2024:0901-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1214691, 1219666
CVE References: CVE-2022-48566, CVE-2023-6597
Sources used:
openSUSE Leap Micro 5.4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
openSUSE Leap 15.5 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1, python3-documentation-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro 5.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro 5.4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro 5.5 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
Basesystem Module 15-SP5 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Manager Proxy 4.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Manager Retail Branch Server 4.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Manager Server 4.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Enterprise Storage 7.1 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro 5.2 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1
openSUSE Leap 15.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1, python3-documentation-3.6.15-150300.10.57.1
openSUSE Leap Micro 5.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2024-05-29 20:30:02 UTC
SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109
CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-55.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.