Bug 1146026 (CVE-2014-7185)

Summary: CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adev88, amcnabb, derks, dmalcolm, extras-orphan, ivazqueznet, jberan, jeffrey.ness, jonathansteffan, jorton, jshort, katzj, mmaslano, python-maint, tomspur, tradej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 2.7.8 Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control those arguments could use this flaw to disclose portions of the application memory or cause it to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:35:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1146027, 1146028, 1187779, 1206572, 1206574    
Bug Blocks: 1146029, 1210268    

Description Vasyl Kaigorodov 2014-09-24 10:26:38 UTC 
It was reported [1] that Python 2.7.8 fixes a potential wraparound in buffer() with possible CWE-200 implications.

While the CVE request is forPython 2.7, reporter also indicated that earlier versions (1.6.1 through 2.6.9) were also affected.

PoC:
--- overflow.py ---
import sys
a = bytearray('here be dragons')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
-------------------

Upstream fix is in [2].

[1]: http://seclists.org/oss-sec/2014/q3/638
[2]: https://hg.python.org/cpython/diff/8d963c7db507/Objects/bufferobject.c
Comment 1 Vasyl Kaigorodov 2014-09-24 10:27:05 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1146027]
Comment 2 Vasyl Kaigorodov 2014-09-24 10:27:08 UTC 
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1146028]
Comment 3 Murray McAllister 2014-09-26 02:15:53 UTC 
MITRE assigned CVE-2014-7185 to this issue:

http://openwall.com/lists/oss-security/2014/09/25/47
Comment 4 Fedora Update System 2014-10-01 04:24:35 UTC 
python-2.7.5-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2014-10-15 20:45:21 UTC 
Upstream bug report:

http://bugs.python.org/issue21831
Comment 7 Vincent Danen 2014-10-15 20:57:24 UTC 
Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 7. A future update may address this issue.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 8 Tomas Hoger 2014-10-27 11:59:21 UTC 
Full upstream commit:

https://hg.python.org/cpython/rev/8d963c7db507

Related commit adding the CVE id to the NEWS file:

https://hg.python.org/cpython/rev/5ef28c22dc24
Comment 9 Tomas Hoger 2014-10-27 12:10:59 UTC 
This problem is in the buffer() implementation.  When creating new buffer object, offset and size arguments were not checked properly to ensure they are within bounds of the existing object.  An integer overflow in the check could cause python to allow out of bounds read, which could lead to information disclosure or application crash.

https://docs.python.org/2/library/functions.html?highlight=buffer#buffer

This bug is only an issue if offset and size arguments are untrusted.

The buffer() was removed from Python 3 and hence Python 3 was not affected by this issue.
Comment 12 Fedora Update System 2014-10-28 06:37:30 UTC 
python-2.7.5-14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2015-06-04 08:30:07 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
Comment 17 errata-xmlrpc 2015-07-22 06:39:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html
Comment 19 errata-xmlrpc 2015-11-19 12:42:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html