Red Hat Bugzilla – Bug 1541558
CVE-2018-1000030 python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c
Last modified: 2018-02-07 13:58:05 EST
Python 2.7.x is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. References: https://bugs.python.org/issue31530 https://github.com/CVEProject/cvelist/pull/292/files/5dae4ae63f0c19fb7e30b0f9ee1cf21e232209b1#diff-97ec95c41730bace57df441d3f00c9a3 https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0 Patch: https://bugs.python.org/file47157/0001-stop-crashes-when-iterating-over-a-file-on-multiple-.patch
Created python tracking bugs for this issue: Affects: fedora-all [bug 1541559]
Statement: Versions of Python 2 included in Red Hat Enterprise Linux 6 and 7 are affected by this issue. Reading concurrently from the same file handle in multiple threads is inherently unstable, and should not be relied upon in any real program. This issue is not planned to be fixed in future releases.