Bug 1153321 - use-after-free bug in handling pycurl.POSTFIELDS
Summary: use-after-free bug in handling pycurl.POSTFIELDS
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-pycurl
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Branislav Náter
Lenka Špačková
Depends On:
Blocks: 1289025 1305230
TreeView+ depends on / blocked
Reported: 2014-10-15 18:48 UTC by Giuseppe Paterno'
Modified: 2016-11-03 23:04 UTC (History)
5 users (show)

Fixed In Version: python-pycurl-7.19.0-19.el7
Doc Type: Bug Fix
Doc Text:
The `pycurl.POSTFIELDS` option of *PycURL* now works correctly Previously, the *PycURL* interface violated the *libcurl* API, which requires a string passed by the `CURLOPT_POSTFIELDS` option to remain valid until the transfer finishes. Consequently, if the `pycurl.POSTFIELDS` option was used, *libcurl* accessed a string beyond its lifetime, which resulted in an undefined behavior. An upstream patch has been applied on the *PycURL* source code to make sure that the string passed to the `CURLOPT_POSTFIELDS` option of *libcurl* remains valid long enough, and the described problem no longer occurs.
Clone Of:
Last Closed: 2016-11-03 23:04:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
Script to reproduce the problem (942 bytes, text/plain)
2014-10-15 18:48 UTC, Giuseppe Paterno'
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2156 0 normal SHIPPED_LIVE python-pycurl bug fix and enhancement update 2016-11-03 13:13:38 UTC

Description Giuseppe Paterno' 2014-10-15 18:48:38 UTC
Created attachment 947290 [details]
Script to reproduce the problem

Description of problem:

A python script using pycurl running on RHEL7 is behaving differently from RHEL6. The same script works fine on Mac OS X and Debian, including RHEL6 and CentOS6.

The pycurl version is exactly the same in RHEL6, RHEL7, Debian and MacOS.

During a post containing urlencode version of a base64 (SSH key), a strange binary is sent under RHEL7, while a standard HTTP post is performed under RHEL6.

The included script is a reduced version of a bigger component (securepass-tools) to reproduce the problem.

Version-Release number of selected component (if applicable):
pip version -> pycurl (7.19.0)
RPM -> python-pycurl-7.19.0-17.el7.x86_64

How reproducible:
Always on RHEL7
Works on RHEL6, MacOS and Debian

Steps to Reproduce:
1. use nc -l 5000 to simulate a web server
2. Execute the included script (or optionally available on https://gist.github.com/gpaterno/8eae080e4d5d33970876)
3. See the strange result

Actual results:
POST /test/ HTTP/1.1
User-Agent: PycURL/7.29.0
Host: localhost:5000
Accept: */*
Content-Length: 438
Content-Type: application/x-www-form-urlencoded


Expected results:
POST /test/ HTTP/1.1
User-Agent: PycURL/7.24.0
Host: localhost:5000
Accept: */*
Content-Length: 438
Content-Type: application/x-www-form-urlencoded


Additional info:
Note that the payload is actually a form of binary.

Comment 2 Kamil Dudka 2014-10-15 20:48:51 UTC
Thank you for reporting the bug!

There is a use-after-free defect in pycurl's code.  The following upstream commit fixes it:


Comment 11 errata-xmlrpc 2016-11-03 23:04:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.