MEDIUM
GHSA-8f95-v3jq-cj86
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Details
### Impact The argon2i_32 implementation does not check the nb_blocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i_32 will write past the end of the buffer and possibly corrupt the heap.
### Patches Fixed in 4.0.2.8, which now verifies that nb_blocks is large enough. See [90ff5b1](https://github.com/jetperch/pymonocypher/commit/90ff5b13b13b5673c372e188f482d8c172e6ab86).
### Workarounds Provide a correctly sized nb_blocks buffer.
pymonocypher thanks Haris (hextheshadow) for the vulnerability report, details, and recommended fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / pymonocypher
Introduced in:
0 Fixed in: 4.0.2.8 Fix
pip install --upgrade 'pymonocypher>=4.0.2.8'