Bug 1146026 (CVE-2014-7185) - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
Summary: CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
Status: CLOSED ERRATA
Alias: CVE-2014-7185
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140623,reported=2...
Keywords: Security
Depends On: 1146027 1146028 1187779 1206572 1206574
Blocks: 1146029 1210268
TreeView+ depends on / blocked
 
Reported: 2014-09-24 10:26 UTC by Vasyl Kaigorodov
Modified: 2019-06-11 11:13 UTC (History)
16 users (show)

(edit)
An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control those arguments could use this flaw to disclose portions of the application memory or cause it to crash.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:35:02 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1064 normal SHIPPED_LIVE Moderate: python27 security, bug fix, and enhancement update 2015-06-04 12:28:00 UTC
Red Hat Product Errata RHSA-2015:1330 normal SHIPPED_LIVE Moderate: python security, bug fix, and enhancement update 2015-07-20 18:00:12 UTC
Red Hat Product Errata RHSA-2015:2101 normal SHIPPED_LIVE Moderate: python security, bug fix, and enhancement update 2015-11-19 11:04:15 UTC

Description Vasyl Kaigorodov 2014-09-24 10:26:38 UTC
It was reported [1] that Python 2.7.8 fixes a potential wraparound in buffer() with possible CWE-200 implications.

While the CVE request is forPython 2.7, reporter also indicated that earlier versions (1.6.1 through 2.6.9) were also affected.

PoC:
--- overflow.py ---
import sys
a = bytearray('here be dragons')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
-------------------

Upstream fix is in [2].

[1]: http://seclists.org/oss-sec/2014/q3/638
[2]: https://hg.python.org/cpython/diff/8d963c7db507/Objects/bufferobject.c

Comment 1 Vasyl Kaigorodov 2014-09-24 10:27:05 UTC
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1146027]

Comment 2 Vasyl Kaigorodov 2014-09-24 10:27:08 UTC
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1146028]

Comment 3 Murray McAllister 2014-09-26 02:15:53 UTC
MITRE assigned CVE-2014-7185 to this issue:

http://openwall.com/lists/oss-security/2014/09/25/47

Comment 4 Fedora Update System 2014-10-01 04:24:35 UTC
python-2.7.5-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2014-10-15 20:45:21 UTC
Upstream bug report:

http://bugs.python.org/issue21831

Comment 7 Vincent Danen 2014-10-15 20:57:24 UTC
Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 7. A future update may address this issue.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 8 Tomas Hoger 2014-10-27 11:59:21 UTC
Full upstream commit:

https://hg.python.org/cpython/rev/8d963c7db507

Related commit adding the CVE id to the NEWS file:

https://hg.python.org/cpython/rev/5ef28c22dc24

Comment 9 Tomas Hoger 2014-10-27 12:10:59 UTC
This problem is in the buffer() implementation.  When creating new buffer object, offset and size arguments were not checked properly to ensure they are within bounds of the existing object.  An integer overflow in the check could cause python to allow out of bounds read, which could lead to information disclosure or application crash.

https://docs.python.org/2/library/functions.html?highlight=buffer#buffer

This bug is only an issue if offset and size arguments are untrusted.

The buffer() was removed from Python 3 and hence Python 3 was not affected by this issue.

Comment 12 Fedora Update System 2014-10-28 06:37:30 UTC
python-2.7.5-14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2015-06-04 08:30:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html

Comment 17 errata-xmlrpc 2015-07-22 06:39:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html

Comment 19 errata-xmlrpc 2015-11-19 12:42:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html


Note You need to log in before you can comment on or make changes to this bug.