Bug 1146026 (CVE-2014-7185) - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
Summary: CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-7185
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1146027 1146028 1187779 1206572 1206574
Blocks: 1146029 1210268
TreeView+ depends on / blocked
 
Reported: 2014-09-24 10:26 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 06:10 UTC (History)
16 users (show)

Fixed In Version: python 2.7.8
Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control those arguments could use this flaw to disclose portions of the application memory or cause it to crash.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:35:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1064 0 normal SHIPPED_LIVE Moderate: python27 security, bug fix, and enhancement update 2015-06-04 12:28:00 UTC
Red Hat Product Errata RHSA-2015:1330 0 normal SHIPPED_LIVE Moderate: python security, bug fix, and enhancement update 2015-07-20 18:00:12 UTC
Red Hat Product Errata RHSA-2015:2101 0 normal SHIPPED_LIVE Moderate: python security, bug fix, and enhancement update 2015-11-19 11:04:15 UTC

Description Vasyl Kaigorodov 2014-09-24 10:26:38 UTC 
It was reported [1] that Python 2.7.8 fixes a potential wraparound in buffer() with possible CWE-200 implications.

While the CVE request is forPython 2.7, reporter also indicated that earlier versions (1.6.1 through 2.6.9) were also affected.

PoC:
--- overflow.py ---
import sys
a = bytearray('here be dragons')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
-------------------

Upstream fix is in [2].

[1]: http://seclists.org/oss-sec/2014/q3/638
[2]: https://hg.python.org/cpython/diff/8d963c7db507/Objects/bufferobject.c
Comment 1 Vasyl Kaigorodov 2014-09-24 10:27:05 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1146027]
Comment 2 Vasyl Kaigorodov 2014-09-24 10:27:08 UTC 
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1146028]
Comment 3 Murray McAllister 2014-09-26 02:15:53 UTC 
MITRE assigned CVE-2014-7185 to this issue:

http://openwall.com/lists/oss-security/2014/09/25/47
Comment 4 Fedora Update System 2014-10-01 04:24:35 UTC 
python-2.7.5-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2014-10-15 20:45:21 UTC 
Upstream bug report:

http://bugs.python.org/issue21831
Comment 7 Vincent Danen 2014-10-15 20:57:24 UTC 
Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 7. A future update may address this issue.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 8 Tomas Hoger 2014-10-27 11:59:21 UTC 
Full upstream commit:

https://hg.python.org/cpython/rev/8d963c7db507

Related commit adding the CVE id to the NEWS file:

https://hg.python.org/cpython/rev/5ef28c22dc24
Comment 9 Tomas Hoger 2014-10-27 12:10:59 UTC 
This problem is in the buffer() implementation.  When creating new buffer object, offset and size arguments were not checked properly to ensure they are within bounds of the existing object.  An integer overflow in the check could cause python to allow out of bounds read, which could lead to information disclosure or application crash.

https://docs.python.org/2/library/functions.html?highlight=buffer#buffer

This bug is only an issue if offset and size arguments are untrusted.

The buffer() was removed from Python 3 and hence Python 3 was not affected by this issue.
Comment 12 Fedora Update System 2014-10-28 06:37:30 UTC 
python-2.7.5-14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2015-06-04 08:30:07 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
Comment 17 errata-xmlrpc 2015-07-22 06:39:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html
Comment 19 errata-xmlrpc 2015-11-19 12:42:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html
Note You need to log in before you can comment on or make changes to this bug.