This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2007年09月19日 01:02 by donmez, last changed 2022年04月11日 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc.py | donmez, 2007年09月19日 01:02 | |||
| python-2.5.CVE-2007-4965-int-overflow.patch | nevyn, 2007年09月19日 21:05 | |||
| python-2.5.CVE-2007-4965-int-overflow.patch | nevyn, 2007年09月19日 22:07 | |||
| python-2.5.CVE-2007-4965-int-overflow.patch | nevyn, 2007年10月22日 21:43 | |||
| python-2.5-int-overflow-2.patch | chmod007, 2008年04月07日 23:32 | |||
| Messages (28) | |||
|---|---|---|---|
| msg56020 - (view) | Author: Ismail Donmez (donmez) * | Date: 2007年09月19日 01:02 | |
As reported at http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065826.html . There is an integer overflow in imageop module which results in an interpreter crash. Original proof of concept code is attached. |
|||
| msg56022 - (view) | Author: Sean Reifschneider (jafo) * (Python committer) | Date: 2007年09月19日 02:27 | |
It's unclear if this only causes a crash or if it can inject data. Referenced mailing list post points out where one error is. |
|||
| msg56042 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2007年09月19日 17:25 | |
Cartman, please refrain from using vulgarities in your sample code. It's hard to take a bug report seriously with such variable names. |
|||
| msg56045 - (view) | Author: Sean Reifschneider (jafo) * (Python committer) | Date: 2007年09月19日 20:16 | |
Guido: That code came from the full-disclosure list posting, I think cartman was just passing it on. |
|||
| msg56047 - (view) | Author: James Antill (nevyn) | Date: 2007年09月19日 21:03 | |
So I think this is all the places integer overflow checking is needed in imageop.c and rbgimgmodule.c. There might be checks here which can't be exploited anyway, and I haven't checked any other files yet. Feel free to comment. Ps. This is against the 2.5 in Fedora-7, but it should apply to upstream. |
|||
| msg56049 - (view) | Author: Ismail Donmez (donmez) * | Date: 2007年09月19日 21:38 | |
Guido, The poc is taken as is, sorry. |
|||
| msg56050 - (view) | Author: James Antill (nevyn) | Date: 2007年09月19日 22:07 | |
And now the obvious typo fix, *sigh*. |
|||
| msg56051 - (view) | Author: Ismail Donmez (donmez) * | Date: 2007年09月19日 22:24 | |
nevyn: Your patch cleanly applies to python 2.4.4 and fixes the interpreter crash with poc.py Thanks. |
|||
| msg56052 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2007年09月19日 22:56 | |
Hm. First of all, it seems the imageop module has completely missed the Py_ssize_t changes. Second, I don't think that "if ( x != len / y )" is a valid replacement for "if ( x*y != len )" -- consider x==5, y==2, len==11. |
|||
| msg56053 - (view) | Author: James Antill (nevyn) | Date: 2007年09月20日 01:30 | |
Guido: It's true that that len can be slightly bigger than x*y, the big thing is that it can't be smaller so we can malloc(len) and use upto x*y (which was my main focus). I first looked at any of this code today, but I didn't see any reason that having len be slightly larger would be a problem ... and in pretty much all cases it'll be len == x*y. However we could have both cases covered by doing: if ( (len != x*y) || (x != (len / y)) ) ...but esp. at that point it seems like we'd want some interface so that we could just do something like: if ( check_mutliplies2(len, x, y) ) |
|||
| msg56596 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2007年10月20日 03:38 | |
Neal, didn't you say you had a fix for this? |
|||
| msg56659 - (view) | Author: James Antill (nevyn) | Date: 2007年10月22日 21:43 | |
Not sure who Neal is, and this probably isn't a final upstream fix ... but it's what I've applied to Fedora's python. It's basically the same patch as before, but it keeps the original * tests instead of just replacing them with / tests. So given: if x * y != len ...the first patch did: if len / x != y ...and this patch does: if x * y != len || len / x != y |
|||
| msg58789 - (view) | Author: Jim Panetta (jhpanetta) | Date: 2007年12月19日 02:54 | |
Is this final yet? Our system security group is a little paranoid about buffer overflows of any sort and are starting to make noises. I can confirm that the Oct 20 patch applies against Python 2.5.1 on RHEL4, and that the string length error is generated when running poc.py. |
|||
| msg58820 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2007年12月19日 20:03 | |
Sigh. I'll try to make time to review & apply this. |
|||
| msg58828 - (view) | Author: James Antill (nevyn) | Date: 2007年12月19日 20:43 | |
I've applied the last patch I posted to recent RHEL and Fedora releases, and it doesn't seem to break anything ... and from what I could see it fixed the problem. |
|||
| msg58829 - (view) | Author: Ismail Donmez (donmez) * | Date: 2007年12月19日 20:45 | |
Same here for Pardus Linux, applied the patch without a regression. |
|||
| msg63888 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2008年03月18日 04:55 | |
Sorry this missed the 2.5.2 release. I'll try to look again before 2.5.3 is imminent. |
|||
| msg64682 - (view) | Author: David Remahl (chmod007) | Date: 2008年03月29日 04:37 | |
The following test cases still cause bus errors with the patch applied:
import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768)
|
|||
| msg64955 - (view) | Author: Neal Norwitz (nnorwitz) * (Python committer) | Date: 2008年04月05日 01:04 | |
I think this was a module that I skipped. I think Anthony might have had a patch, but if we have a fix, I'm not sure it matters. We need to fix this for 2.5.3, upping the priority. |
|||
| msg65130 - (view) | Author: David Remahl (chmod007) | Date: 2008年04月07日 23:32 | |
Uploading patch that addresses the test cases above. It applies on top of nevyn’s latest patch. |
|||
| msg66394 - (view) | Author: Barry A. Warsaw (barry) * (Python committer) | Date: 2008年05月08日 02:59 | |
This is not a release blocker for 2.6 or 3.0. |
|||
| msg66405 - (view) | Author: Ismail Donmez (donmez) * | Date: 2008年05月08日 04:51 | |
This _must_ be a release blocker for Python 3.0, Its a shame that this bug still is not fixed and a patch is available for months now. |
|||
| msg66407 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2008年05月08日 04:54 | |
imageop is deleted in 3.0. See PEP 3108. So it can't be a release blocker. This also explains my general lack of interest in this module. |
|||
| msg66408 - (view) | Author: Ismail Donmez (donmez) * | Date: 2008年05月08日 05:42 | |
I am sorry for the drama then, :) |
|||
| msg70476 - (view) | Author: Benjamin Peterson (benjamin.peterson) * (Python committer) | Date: 2008年07月31日 02:10 | |
Does anybody still care about this for 2.6? |
|||
| msg70744 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2008年08月05日 15:59 | |
The two segfaults reported in msg64682 are still there in 2.6. I'm elevating this to release blocker but don't have time to fix this myself. |
|||
| msg71477 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2008年08月19日 20:26 | |
Looking into this now. |
|||
| msg71483 - (view) | Author: Guido van Rossum (gvanrossum) * (Python committer) | Date: 2008年08月19日 21:02 | |
Latest patches applied to 2.5 branch: r65878. And to 2.6 trunk: r65880. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:56:27 | admin | set | github: 45520 |
| 2008年08月19日 21:02:22 | gvanrossum | set | status: open -> closed resolution: accepted messages: + msg71483 |
| 2008年08月19日 20:26:18 | gvanrossum | set | messages: + msg71477 |
| 2008年08月16日 01:26:41 | pitrou | set | nosy: - pitrou |
| 2008年08月11日 13:25:40 | pitrou | set | nosy: + pitrou |
| 2008年08月05日 15:59:18 | gvanrossum | set | priority: critical -> release blocker assignee: gvanrossum -> messages: + msg70744 versions: + Python 2.6 |
| 2008年07月31日 02:10:04 | benjamin.peterson | set | nosy:
+ benjamin.peterson messages: + msg70476 |
| 2008年05月08日 05:42:10 | donmez | set | messages: + msg66408 |
| 2008年05月08日 04:54:58 | gvanrossum | set | messages: + msg66407 |
| 2008年05月08日 04:51:38 | donmez | set | messages: + msg66405 |
| 2008年05月08日 02:59:07 | barry | set | priority: release blocker -> critical nosy: + barry messages: + msg66394 |
| 2008年04月07日 23:32:29 | chmod007 | set | files:
+ python-2.5-int-overflow-2.patch messages: + msg65130 |
| 2008年04月05日 01:04:05 | nnorwitz | set | priority: high -> release blocker nosy: + anthonybaxter messages: + msg64955 |
| 2008年04月04日 12:49:06 | matejcik | set | nosy: + matejcik |
| 2008年03月29日 04:37:26 | chmod007 | set | nosy:
+ chmod007 messages: + msg64682 |
| 2008年03月18日 04:55:58 | gvanrossum | set | messages:
+ msg63888 components: + Extension Modules, - Library (Lib) |
| 2007年12月19日 20:45:50 | donmez | set | messages: + msg58829 |
| 2007年12月19日 20:43:22 | nevyn | set | messages: + msg58828 |
| 2007年12月19日 20:03:39 | gvanrossum | set | assignee: gvanrossum messages: + msg58820 |
| 2007年12月19日 02:54:29 | jhpanetta | set | nosy:
+ jhpanetta messages: + msg58789 |
| 2007年10月22日 21:43:05 | nevyn | set | files:
+ python-2.5.CVE-2007-4965-int-overflow.patch messages: + msg56659 |
| 2007年10月20日 03:38:31 | gvanrossum | set | nosy:
+ nnorwitz messages: + msg56596 |
| 2007年09月25日 04:53:34 | loewis | set | keywords: + patch |
| 2007年09月20日 17:28:22 | jafo | set | priority: high |
| 2007年09月20日 01:30:23 | nevyn | set | messages: + msg56053 |
| 2007年09月19日 22:56:18 | gvanrossum | set | priority: high -> (no value) messages: + msg56052 |
| 2007年09月19日 22:24:31 | donmez | set | messages: + msg56051 |
| 2007年09月19日 22:07:02 | nevyn | set | files:
+ python-2.5.CVE-2007-4965-int-overflow.patch messages: + msg56050 |
| 2007年09月19日 21:38:38 | donmez | set | messages: + msg56049 |
| 2007年09月19日 21:05:04 | nevyn | set | files: + python-2.5.CVE-2007-4965-int-overflow.patch |
| 2007年09月19日 21:03:52 | nevyn | set | nosy:
+ nevyn messages: + msg56047 |
| 2007年09月19日 20:16:31 | jafo | set | messages: + msg56045 |
| 2007年09月19日 17:25:50 | gvanrossum | set | nosy:
+ gvanrossum messages: + msg56042 |
| 2007年09月19日 02:27:43 | jafo | set | priority: high nosy: + jafo messages: + msg56022 |
| 2007年09月19日 01:02:34 | donmez | create | |