Bug 1146026 – CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1146026 - (CVE-2014-7185) CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read

Summary:	CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read

Status:	NEW

Aliases:	CVE-2014-7185

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20140623,reported=2...
Keywords:	Security

Depends On:	1146027 1146028 1187779 1206572 1206574
Blocks:	1146029 1210268
	Show dependency tree / graph

Reported:	2014-09-24 06:26 EDT by Vasyl Kaigorodov
Modified:	2018-02-14 23:28 EST (History)
CC List:	18 users (show)

See Also:
Fixed In Version:	python 2.7.8
Doc Type:	Bug Fix
Doc Text:	An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control those arguments could use this flaw to disclose portions of the application memory or cause it to crash.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1064	normal	SHIPPED_LIVE	Moderate: python27 security, bug fix, and enhancement update	2015-06-04 08:28:00 EDT
Red Hat Product Errata	RHSA-2015:1330	normal	SHIPPED_LIVE	Moderate: python security, bug fix, and enhancement update	2015-07-20 14:00:12 EDT
Red Hat Product Errata	RHSA-2015:2101	normal	SHIPPED_LIVE	Moderate: python security, bug fix, and enhancement update	2015-11-19 06:04:15 EST

Groups: None (edit)

Description Vasyl Kaigorodov 2014-09-24 06:26:38 EDT

It was reported [1] that Python 2.7.8 fixes a potential wraparound in buffer() with possible CWE-200 implications.

While the CVE request is forPython 2.7, reporter also indicated that earlier versions (1.6.1 through 2.6.9) were also affected.

PoC:
--- overflow.py ---
import sys
a = bytearray('here be dragons')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
-------------------

Upstream fix is in [2].

[1]: http://seclists.org/oss-sec/2014/q3/638
[2]: https://hg.python.org/cpython/diff/8d963c7db507/Objects/bufferobject.c

Comment 1 Vasyl Kaigorodov 2014-09-24 06:27:05 EDT

Created python tracking bugs for this issue:

Affects: fedora-all [bug 1146027]

Comment 2 Vasyl Kaigorodov 2014-09-24 06:27:08 EDT

Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1146028]

Comment 3 Murray McAllister 2014-09-25 22:15:53 EDT

MITRE assigned CVE-2014-7185 to this issue:

http://openwall.com/lists/oss-security/2014/09/25/47

Comment 4 Fedora Update System 2014-10-01 00:24:35 EDT

python-2.7.5-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2014-10-15 16:45:21 EDT

Upstream bug report:

http://bugs.python.org/issue21831

Comment 7 Vincent Danen 2014-10-15 16:57:24 EDT

Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 7. A future update may address this issue.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 8 Tomas Hoger 2014-10-27 07:59:21 EDT

Full upstream commit:

https://hg.python.org/cpython/rev/8d963c7db507

Related commit adding the CVE id to the NEWS file:

https://hg.python.org/cpython/rev/5ef28c22dc24

Comment 9 Tomas Hoger 2014-10-27 08:10:59 EDT

This problem is in the buffer() implementation.  When creating new buffer object, offset and size arguments were not checked properly to ensure they are within bounds of the existing object.  An integer overflow in the check could cause python to allow out of bounds read, which could lead to information disclosure or application crash.

https://docs.python.org/2/library/functions.html?highlight=buffer#buffer

This bug is only an issue if offset and size arguments are untrusted.

The buffer() was removed from Python 3 and hence Python 3 was not affected by this issue.

Comment 12 Fedora Update System 2014-10-28 02:37:30 EDT

python-2.7.5-14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2015-06-04 04:30:07 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html

Comment 17 errata-xmlrpc 2015-07-22 02:39:50 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html

Comment 19 errata-xmlrpc 2015-11-19 07:42:59 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html

Note You need to log in before you can comment on or make changes to this bug.