Bug 1153321 - use-after-free bug in handling pycurl.POSTFIELDS
Summary: use-after-free bug in handling pycurl.POSTFIELDS
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-pycurl   
(Show other bugs)
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Branislav Náter
Lenka Špačková
URL:
Whiteboard:
Keywords: Patch
Depends On:
Blocks: 1289025 1305230
TreeView+ depends on / blocked
 
Reported: 2014-10-15 18:48 UTC by Giuseppe Paterno'
Modified: 2016-11-03 23:04 UTC (History)
5 users (show)

Fixed In Version: python-pycurl-7.19.0-19.el7
Doc Type: Bug Fix
Doc Text:
The `pycurl.POSTFIELDS` option of *PycURL* now works correctly Previously, the *PycURL* interface violated the *libcurl* API, which requires a string passed by the `CURLOPT_POSTFIELDS` option to remain valid until the transfer finishes. Consequently, if the `pycurl.POSTFIELDS` option was used, *libcurl* accessed a string beyond its lifetime, which resulted in an undefined behavior. An upstream patch has been applied on the *PycURL* source code to make sure that the string passed to the `CURLOPT_POSTFIELDS` option of *libcurl* remains valid long enough, and the described problem no longer occurs.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 23:04:55 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Script to reproduce the problem (942 bytes, text/plain)
2014-10-15 18:48 UTC, Giuseppe Paterno' 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2156 normal SHIPPED_LIVE python-pycurl bug fix and enhancement update 2016-11-03 13:13:38 UTC

Description Giuseppe Paterno' 2014-10-15 18:48:38 UTC 
Created attachment 947290 [details]
Script to reproduce the problem

Description of problem:

A python script using pycurl running on RHEL7 is behaving differently from RHEL6. The same script works fine on Mac OS X and Debian, including RHEL6 and CentOS6.

The pycurl version is exactly the same in RHEL6, RHEL7, Debian and MacOS.

During a post containing urlencode version of a base64 (SSH key), a strange binary is sent under RHEL7, while a standard HTTP post is performed under RHEL6.

The included script is a reduced version of a bigger component (securepass-tools) to reproduce the problem.

Version-Release number of selected component (if applicable):
pip version -> pycurl (7.19.0)
RPM -> python-pycurl-7.19.0-17.el7.x86_64

How reproducible:
Always on RHEL7
Works on RHEL6, MacOS and Debian

Steps to Reproduce:
1. use nc -l 5000 to simulate a web server
2. Execute the included script (or optionally available on https://gist.github.com/gpaterno/8eae080e4d5d33970876)
3. See the strange result

Actual results:
POST /test/ HTTP/1.1
User-Agent: PycURL/7.29.0
Host: localhost:5000
Accept: */*
Content-Length: 438
Content-Type: application/x-www-form-urlencoded

??????8??????????A`??????@??p?????з?1??.?6zoK5D2T1??.?X8COpdH51??.?z%2FFP3X1??.?Evw%3D%31


Expected results:
POST /test/ HTTP/1.1
User-Agent: PycURL/7.24.0
Host: localhost:5000
Accept: */*
Content-Length: 438
Content-Type: application/x-www-form-urlencoded

USERNAME=foobar&ATTRIBUTE=sshkey&VALUE=ssh-rsa+AADDB3NzaC1yc2EAAAABIwAAAQEA6ezbY7Pb9Ld2fRRgIzEaQln66HgJL0MkHPv7fYsU3Eo%2B8F5gC%2BgY4nbxCCuvvJ652WltW786Es1kduWpT13gKkT2TCqvXhC%2BTDbml5Rp9ECvrSs4Xlc2nYQb%2BMVwbEnnu3c92WaXs4q4Sjj2lTAAo6ftsjT00uqWUbjX1NoshnH9mo34NCnI2XniI50dNfDx4VxMK5ZRn6zoK5D2T9bKEsAHsmQpNKo9ySKai4SMVP%2FGnhAhyjLQtq5X8COpdH5AUJy4RHYyL0upF0ClvWYnLpPZuPajsoOZgruu3OQz%2FFP3XsosMZ04ZNL84mSDSBKE%2F6N2DMBxw9tl4cuHRx1Evw%3D%3D+


Additional info:
Note that the payload is actually a form of binary.
Comment 2 Kamil Dudka 2014-10-15 20:48:51 UTC 
Thank you for reporting the bug!

There is a use-after-free defect in pycurl's code.  The following upstream commit fixes it:

https://github.com/pycurl/pycurl/commit/b01a04fb
Comment 11 errata-xmlrpc 2016-11-03 23:04:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2156.html
Note You need to log in before you can comment on or make changes to this bug.