Bug 1519595 (CVE-2017-1000158) - CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow
Summary: CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-1000158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1519601 1519602 1519603 1519604 1519605 1519606
Blocks: 1519600
TreeView+ depends on / blocked
 
Reported: 2017-12-01 01:19 UTC by Sam Fowler
Modified: 2021-06-10 13:47 UTC (History)
23 users (show)

Fixed In Version: python 2.7.14
Clone Of:
Environment:
Last Closed: 2017-12-08 19:02:50 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2017-12-01 01:19:14 UTC 
In Python 2.7, Python 3.4 and Python 3.5 there is a possible integer overflow in PyString_DecodeEscape function of the file stringobject.c, which can be abused to gain a heap overflow, possibly leading to arbitrary code execution.

References:
https://bugs.python.org/issue30657
http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html
https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
Comment 1 Sam Fowler 2017-12-01 01:45:18 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1519606]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1519602]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1519604]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1519605]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1519601]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1519603]
Comment 2 Pedro Yóssis Silva Barbosa 2017-12-08 18:22:54 UTC 
External References:

http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html
Comment 6 Pedro Yóssis Silva Barbosa 2017-12-08 19:03:10 UTC 
Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, and python27-python, rh-python34-python, and rh-python35-python as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 9 Pedro Yóssis Silva Barbosa 2017-12-11 12:24:18 UTC 
Upstream commit:

https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
Comment 10 Miro Hrončok 2017-12-11 13:27:29 UTC 
And for 3.4 and 3.5:

https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42
https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9
Comment 13 Pedro Yóssis Silva Barbosa 2018-03-15 13:17:51 UTC 
"You need to compile a 1 GiB Python file on 32-bit system for reproducing it. It is very unlikely that this can happen by accident, and it is hard to used it in security attack. If you can make the attacked program compiling a 1 GiB Python file, you perhaps have easier ways to make a harm."

Ref: http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html

"In the highly unlikely but definitely possible situation that we pass it a very large string (in the order of ~1GB on a 32-bit Python install), one can reliably get heap corruption."

Ref: https://bugs.python.org/msg295930
Note You need to log in before you can comment on or make changes to this bug.