Bug 1277488

Summary: python-pycurl: use-after-free vulnerability in HTTPPOST when using FORM_BUFFERPTR with Unicode string
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kdudka, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-pycurl 7.19.5.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-01 13:52:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1277489, 1277490    
Bug Blocks: 1277491    

Description Adam Mariš 2015-11-03 13:10:22 UTC 
A use-after-free vulnerability was found in Curl object's HTTPPOST setopt when a Unicode value is passed as a value with a FORM_BUFFERPTR. The str object created from the passed in unicode object would have its buffer used but the unicode object would be stored instead of the str object.

Upstream patch:

https://github.com/clintclayton/pycurl/commit/2a743674dcf152beaaf6adaddb1ef51b18d1fffe
Comment 1 Adam Mariš 2015-11-03 13:10:50 UTC 
Created python-pycurl tracking bugs for this issue:

Affects: fedora-all [bug 1277489]
Affects: epel-5 [bug 1277490]
Comment 2 Kamil Dudka 2015-11-03 18:22:31 UTC 
(In reply to Adam Mariš from comment #1)
> Affects: epel-5 [bug 1277490]

How are you confirming that epel-5 is affected?

I see no CURLFORM_BUFFERPTR handling in python-pycurl-7.15.5.1-4.el5.
Comment 4 Tomas Hoger 2015-12-01 13:52:29 UTC 
CURLFORM_BUFFERPTR support was only introduced in pycurl version 7.19.3.  The versions used in Red Hat Enterprise Linux 7 and earlier are 7.19.0 or earlier.  Therefore, no version currently in Red Hat Enterprise Linux is affected by this issue.  Problem was fixed upstream 7.19.5.2.