On 07Nov2022 12:26, Gregory P. Smith
I personally didn't feel this one was urgent enough to ask anyone to spend time doing an emergency security release as triggering the crash requires someone sending a multi-gigabyte amount of data into a sha3 hash function in a single .update() method call. That seems like a rare code pattern. How many applications ever do that vs doing I/O in smaller chunks with more frequent .update() calls?
As it happens I'm doing some work for a media archiving company and
we're looking at recording checksums for archived files. I _may_ well be
choosing to mmap a file and calling .update() on the mapping in one go.
That said, that's (a) niche and (b) not even written yet.
I think I'd still agree that this might be a nonurgent fix (haven't read
the CVE properly yet).
Cheers,
Cameron Simpson