Red Hat Bugzilla – Bug 1519595
CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow
Last modified: 2018-03-15 09:40:10 EDT
In Python 2.7, Python 3.4 and Python 3.5 there is a possible integer overflow in PyString_DecodeEscape function of the file stringobject.c, which can be abused to gain a heap overflow, possibly leading to arbitrary code execution. References: https://bugs.python.org/issue30657 http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
Created python tracking bugs for this issue: Affects: fedora-all [bug 1519606] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1519602] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1519604] Created python33 tracking bugs for this issue: Affects: fedora-all [bug 1519605] Created python34 tracking bugs for this issue: Affects: fedora-all [bug 1519601] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1519603]
External References: http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html
Statement: This issue affects the versions of python as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, and python27-python, rh-python34-python, and rh-python35-python as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Upstream commit: https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
And for 3.4 and 3.5: https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42 https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9
"You need to compile a 1 GiB Python file on 32-bit system for reproducing it. It is very unlikely that this can happen by accident, and it is hard to used it in security attack. If you can make the attacked program compiling a 1 GiB Python file, you perhaps have easier ways to make a harm." Ref: http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html "In the highly unlikely but definitely possible situation that we pass it a very large string (in the order of ~1GB on a 32-bit Python install), one can reliably get heap corruption." Ref: https://bugs.python.org/msg295930