CVE-2022-29242

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-29242
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29242.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-29242
Aliases
  • GHSA-2rmw-8wpg-vgw5
Downstream
Published
2022-05-24T14:55:13Z
Modified
2025-11-28T03:48:14.355199Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Buffer Overflow on creating key transport blob in GOST Engine
Details

GOST engine is a reference implementation of the Russian GOST crypto algorithms for OpenSSL. TLS clients using GOST engine when ciphersuite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC is agreed and the server uses 512 bit GOST secret keys are vulnerable to buffer overflow. GOST engine version 3.0.1 contains a patch for this issue. Disabling ciphersuite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC is a possible workaround.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29242.json",
    "cwe_ids": [
        "CWE-120"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gost-engine/engine

Affected ranges

Type
GIT
Repo
https://github.com/gost-engine/engine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b2b4d629f100eaee9f5942a106b1ccefe85b8808

Affected versions

v3.*

v3.0.0

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 2169.0,
            "function_hash": "237362269457491663453226401506872244564"
        },
        "signature_version": "v1",
        "id": "CVE-2022-29242-28d20ecf",
        "source": "https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808",
        "target": {
            "function": "pkey_GOST_ECcp_decrypt",
            "file": "gost_ec_keyx.c"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 2032.0,
            "function_hash": "185396379853141806682485981741785033222"
        },
        "signature_version": "v1",
        "id": "CVE-2022-29242-3bfd62ee",
        "source": "https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808",
        "target": {
            "function": "pkey_gost2018_decrypt",
            "file": "gost_ec_keyx.c"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "310016482127472029549190774601226147165",
                "239342481626454396380069098192265943799",
                "106258524330448125305108814669609124232",
                "236336101352971730515517972930338119400",
                "179938351455731430368096209509104762187",
                "115060122717738414106397373358508411276",
                "289207067663284405508232200437612828632",
                "311486308608725778559722296202300316423",
                "63665945302413573171368701831063603877",
                "113496603344703428880095507339025167099",
                "261427314136030746772007601315697340863",
                "281912124839311283483922961676138906016",
                "49026473700861127943909910167825946970",
                "236336101352971730515517972930338119400",
                "34422186015399095255172923431191089490",
                "217411480038352116337521858594232703561",
                "154246039997835712392812225625594629754",
                "77210468336320490005212111866066437978",
                "235180056202138438388625634735206073731",
                "7737706494246770193143267422676679574",
                "300837401891233429479498502898077614404",
                "63665945302413573171368701831063603877",
                "247950080753563956679998036352743673380",
                "184701017194468815794296310793347440993",
                "248194884192785211712787868694051468365",
                "258865946704280505007569015386900962311",
                "314828128174249525636845507984454119722"
            ]
        },
        "signature_version": "v1",
        "id": "CVE-2022-29242-453c2f44",
        "source": "https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808",
        "target": {
            "file": "gost_ec_keyx.c"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 487.0,
            "function_hash": "21195533197373550816777427030843025154"
        },
        "signature_version": "v1",
        "id": "CVE-2022-29242-cc967c72",
        "source": "https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808",
        "target": {
            "function": "pkey_gost_decrypt",
            "file": "gost_ec_keyx.c"
        }
    }
]