VDB
KO
MEDIUM

GHSA-8f95-v3jq-cj86

pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small

Details

### Impact The argon2i_32 implementation does not check the nb_blocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i_32 will write past the end of the buffer and possibly corrupt the heap.

### Patches Fixed in 4.0.2.8, which now verifies that nb_blocks is large enough. See [90ff5b1](https://github.com/jetperch/pymonocypher/commit/90ff5b13b13b5673c372e188f482d8c172e6ab86).

### Workarounds Provide a correctly sized nb_blocks buffer.

pymonocypher thanks Haris (hextheshadow) for the vulnerability report, details, and recommended fix.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pymonocypher
Introduced in: 0 Fixed in: 4.0.2.8
Fix pip install --upgrade 'pymonocypher>=4.0.2.8'

References