Fix possible heap buffer overflow in argon2i_32

.github/workflows/packaging.yml

@@ -1,4 +1,4 @@
-# Copyright 2021-2024 Jetperch LLC
+# Copyright 2021-2026 Jetperch LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -77,7 +77,7 @@ jobs:
         run: pytest
 
       - name: Upload python source package
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: sdist
           path: dist/*.tar.gz
@@ -96,7 +96,7 @@ jobs:
 
     steps:
       - name: Download sdist
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: sdist
           path: dist/
@@ -112,7 +112,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==3.3
+        run: python -m pip install cibuildwheel==3.4.1
 
       - name: Build wheels
         env:
@@ -128,7 +128,7 @@ jobs:
         run: python -m cibuildwheel ${{ steps.find_sdist_filename.outputs.filename }}
 
       - name: Upload python wheels
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: python_wheel-${{ matrix.os }}-${{ matrix.python_version }}
           path: wheelhouse/*.whl
@@ -147,13 +147,13 @@ jobs:
 
     steps:
       - name: Download python sdist artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: sdist
           path: dist/
 
       - name: Download python wheel artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           pattern: python_wheel-*
           merge-multiple: true
@@ -164,12 +164,30 @@ jobs:
         run: ls dist/*
 
       - name: Publish packages to PyPi
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@v1.14.0
         with:
           print-hash: true
 
       - name: Publish Release assets
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: |
             dist/*
+
+  deb:
+    name: Build deb package
+    if: github.event_name == 'push' && startswith(github.ref, 'refs/tags/v')
+    needs:
+      - publish_python
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        CC: ["clang", "gcc"]
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install build dependencies
+        run: |
+          sudo apt update;
+          sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends clang gcc cython3 build-essential python3 python3-venv python3-build debhelper-compat pybuild-plugin-pyproject python3-all-dev python3-numpy;
+      - name: Build package
+        run: CC=${{ matrix.CC }} make deb

CHANGELOG.md

@@ -6,15 +6,20 @@ This file contains the list of changes made to pymonocypher.
 
 # 4.0.2.7
 
-2026 Feb 12
+2026 Jun 1
 
 * Addressed [Issue #18](https://github.com/jetperch/pymonocypher/issues/18)
-  * Added `x25519()` function exposing the raw X25519 shared secret primitive.
-  * Added `x25519_public_key()` function to compute X25519 public keys.
-  * Added `chacha20_h()` function exposing HChacha20 for key derivation.
-  * Deprecated `key_exchange()` — use `x25519()` with a KDF instead.
-  * Deprecated `compute_key_exchange_public_key()` — use `x25519_public_key()` instead.
-  * Deprecated `generate_key_exchange_key_pair()` — use `generate_key()` and `x25519_public_key()` instead.
+    * Added `x25519()` function exposing the raw X25519 shared secret primitive.
+    * Added `x25519_public_key()` function to compute X25519 public keys.
+    * Added `chacha20_h()` function exposing HChacha20 for key derivation.
+    * Deprecated `key_exchange()` — use `x25519()` with a KDF instead.
+    * Deprecated `compute_key_exchange_public_key()` — use `x25519_public_key()` instead.
+    * Deprecated `generate_key_exchange_key_pair()` — use `generate_key()` and `x25519_public_key()` instead.
+* Added parameter validation to prevent possible heap buffer overflow in argon2i_32.
+  * Thank you Haris (hextheshadow) for the vulnerability report & fix.
+* Added Python 3.14 to setup.py
+* Bumped GitHub actions versions.
+* Fixed debian package build to run after python release.
 
 
 # 4.0.2.6

c_monocypher.pyx

@@ -12,14 +12,14 @@ import warnings
 
 
 # also edit setup.py
-__version__ = '4.0.2.6'   # also change setup.py
+__version__ = '4.0.2.7'   # also change setup.py
 __title__ = 'pymonocypher'
 __description__ = 'Python ctypes bindings to the Monocypher library'
 __url__ = 'https://github.com/jetperch/pymonocypher'
 __author__ = 'Jetperch LLC'
 __author_email__ = 'joulescope-dev@jetperch.com'
 __license__ = 'BSD 2-clause'
-__copyright__ = 'Copyright 2018-2025 Jetperch LLC'
+__copyright__ = 'Copyright 2018-2026 Jetperch LLC'
 
 
 cdef extern from "monocypher.h":
@@ -329,6 +329,9 @@ def argon2i_32(nb_blocks, nb_iterations, password, salt, key=None, ad=None, _wip
     config.nb_passes = nb_iterations
     config.nb_lanes = 1
 
+    if config.nb_blocks < (config.nb_lanes * 8):
+       raise ValueError(f'nb_blocks must be >= {config.nb_lanes * 8}, got {config.nb_blocks}')
+
     cdef crypto_argon2_inputs inputs;
     inputs.pass_ = password
     inputs.pass_size = _validate_u32('password', len(password))

setup.py

@@ -11,7 +11,7 @@
 import os
 
 MYPATH = os.path.abspath(os.path.dirname(__file__))
-VERSION = '4.0.2.6'  # also change c_monocypher.pyx
+VERSION = '4.0.2.7'  # also change c_monocypher.pyx
 
 
 try:
@@ -70,6 +70,7 @@
         'Programming Language :: Python :: 3.11',
         'Programming Language :: Python :: 3.12',
         'Programming Language :: Python :: 3.13',
+        'Programming Language :: Python :: 3.14',
         'Programming Language :: C',
     ],