Bug 1918168 (CVE-2021-3177)
| Summary: | CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adev88, carl, cstratak, dmalcolm, hhorak, jeffrey.ness, jiehuang, jorton, kaycoth, kyoshida, lbalhar, manisandro, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rhel8-maint, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, thrnciar, TicoTimo, tomspur, torsava, vstinner, yozone |
| Target Milestone: | --- | Keywords: | Reproducer, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:37:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1918169, 1918170, 1918172, 1918173, 1918174, 1918175, 1918176, 1918177, 1918298, 1918299, 1918300, 1918301, 1918302, 1918304, 1918659, 1918660, 1918661, 1918662, 1918663, 1918665, 1918666, 1918668, 1918669, 1918670, 1918671, 1918856, 1918857, 1918858, 1918859, 1918860, 1918861, 1918862, 1918863, 1918864, 1918865, 1918866, 1918867, 1918868, 1918869, 1918870, 1918871, 1918881, 1918882, 1918883, 1918885, 1919161, 1919162, 1919163, 1919164, 1920891, 1969493, 1969513 | ||
| Bug Blocks: | 1918171 | ||
|
Description
Marian Rehak
2021-01-20 08:45:57 UTC
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 1918175] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1918177] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1918176] Affects: fedora-all [bug 1918169] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1918170] Created python36 tracking bugs for this issue: Affects: fedora-all [bug 1918172] Created python37 tracking bugs for this issue: Affects: fedora-all [bug 1918173] Created python39 tracking bugs for this issue: Affects: fedora-all [bug 1918174] I've asked Ned Deily to include the (already merged) fix in the upcoming 3.7.10 and 3.6.13 security releases. (In reply to Miro Hrončok from comment #3) > I've asked Ned Deily to include the (already merged) fix in the upcoming > 3.7.10 and 3.6.13 security releases. "Ned has postponed the upcoming security releases for the issue. Benjamin's fix has landed two days ago. The fixes will be included in 3.7.10 and 3.6.13." Other expected releases: 3.10.0a5: Monday, 2021-02-01 3.9.2rc1: Monday, 2021-02-01 3.9.2: Monday, 2021-02-15 3.8.8rc1: Monday, 2021-02-01 3.8.8: Monday, 2021-02-15 Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 1918659] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1918660] Created python27 tracking bugs for this issue: Affects: fedora-all [bug 1918661] Created python3.10 tracking bugs for this issue: Affects: fedora-all [bug 1918662] Created python3.5 tracking bugs for this issue: Affects: fedora-all [bug 1918663] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 1918665] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 1918666] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 1918668] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 1918669] This issue affects also Python 2 versions, not only Python 3. The issue is in function PyCArg_repr(), which constructs a string to return to the caller by using a buffer allocated on the stack with a size of 256 bytes. This buffer is filled with the sprintf function and the input is not validated, thus it is possible to overflow the buffer when executing the sprintf. Function PyCArg_rep() is called when for example you execute the `from_param` method. Statement: This flaw could have had a higher Impact, however our packages are compiled with FORTIFY_SOURCE, which provides runtime protection to some memory and string functions and prevents this flaw from actually overwriting the buffer and potentially executing code. (In reply to Miro Hrončok from comment #4) > (In reply to Miro Hrončok from comment #3) > > I've asked Ned Deily to include the (already merged) fix in the upcoming > > 3.7.10 and 3.6.13 security releases. > > "Ned has postponed the upcoming security releases for the issue. > Benjamin's fix has landed two days ago. The fixes will be included in > 3.7.10 and 3.6.13." The releases are postponed due to another security issue: https://bugs.python.org/issue42988 "Resolution of this issue is blocking 3.7.x and 3.6.x security releases and threatens to block upcoming maintenance releases." FEDORA-2021-e062e195e1 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-7fa9dc84d4 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3177 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5235 https://access.redhat.com/errata/RHSA-2022:5235 |