Security News > 2022 > November > SHA-3 code execution bug patched in PHP – check your version!
This official implementation, known as XKCP, short for eXtended Keccak Code Package, is a collection of open source library code for Keccak and a range of related cryptographic tools from the Keccak team, including their authenticated encryption algorithms Ketje and Keyak, pseudorandom generators called Kravatte and Xoofff, and a lightweight encryption algorithm for low-power processors called Xoodyak.
As you can imagine, code that hashes remotely uploaded data is likely either to retrieve the entire object before hashing it locally, typically by processing a fixed-length buffer of much smaller size over and over, or to fold each received chunk into the hash as it goes, typically receiving far more modestly-sized chunks at each network call.
If you told the NetUSB code that you wanted to send an unimaginably large amount of data that just happened to be within 17 bytes of the 4GB limit imposed by using 32-bit integers, you provoked an integer overflow.
If the calling code didn't crash or detect the unexpected error, it could produce an incorrect result, which could cause a hash validation to go wrong.
Unlike OpenSSL,the XKCP implementation of SHA-3 is not very widely used, but the XKCP code does appear in at least PHP 8, which has recently been patched to prevent this bug.
If you have any code of your own that uses XKCP, you can update XKCP from its Github page.