Bug 1519595 (CVE-2017-1000158)

Summary: CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bkabrda, cstratak, dmalcolm, extras-orphan, hhorak, ishcherb, jeffrey.ness, jorton, kevin, lzachar, mcyprian, mhroncok, mmezynsk, pebarbos, pviktori, python-maint, python-sig, rkuska, slawomir, TicoTimo, tomspur, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 2.7.14 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-08 19:02:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1519601, 1519602, 1519603, 1519604, 1519605, 1519606    
Bug Blocks: 1519600    

Description Sam Fowler 2017-12-01 01:19:14 UTC 
In Python 2.7, Python 3.4 and Python 3.5 there is a possible integer overflow in PyString_DecodeEscape function of the file stringobject.c, which can be abused to gain a heap overflow, possibly leading to arbitrary code execution.

References:
https://bugs.python.org/issue30657
http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html
https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
Comment 1 Sam Fowler 2017-12-01 01:45:18 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1519606]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1519602]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1519604]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1519605]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1519601]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1519603]
Comment 2 Pedro Yóssis Silva Barbosa 2017-12-08 18:22:54 UTC 
External References:

http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html
Comment 6 Pedro Yóssis Silva Barbosa 2017-12-08 19:03:10 UTC 
Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, and python27-python, rh-python34-python, and rh-python35-python as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 9 Pedro Yóssis Silva Barbosa 2017-12-11 12:24:18 UTC 
Upstream commit:

https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
Comment 10 Miro Hrončok 2017-12-11 13:27:29 UTC 
And for 3.4 and 3.5:

https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42
https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9
Comment 13 Pedro Yóssis Silva Barbosa 2018-03-15 13:17:51 UTC 
"You need to compile a 1 GiB Python file on 32-bit system for reproducing it. It is very unlikely that this can happen by accident, and it is hard to used it in security attack. If you can make the attacked program compiling a 1 GiB Python file, you perhaps have easier ways to make a harm."

Ref: http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html

"In the highly unlikely but definitely possible situation that we pass it a very large string (in the order of ~1GB on a 32-bit Python install), one can reliably get heap corruption."

Ref: https://bugs.python.org/msg295930