Bug 1918168 (CVE-2021-3177) - CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c
Summary: CVE-2021-3177 python: Stack-based buffer overflow in PyCArg_repr in _ctypes/c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1918298 1918169 1918170 1918172 1918173 1918174 1918175 1918176 1918177 1918299 1918300 1918301 1918302 1918304 1918659 1918660 1918661 1918662 1918663 1918665 1918666 1918668 1918669 1918670 1918671 1918856 1918857 1918858 1918859 1918860 1918861 1918862 1918863 1918864 1918865 1918866 1918867 1918868 1918869 1918870 1918871 1918881 1918882 1918883 1918885 1919161 1919162 1919163 1919164 1920891 1969493 1969513
Blocks: 1918171
TreeView+ depends on / blocked
 
Reported: 2021-01-20 08:45 UTC by Marian Rehak
Modified: 2022-06-28 09:47 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:37:57 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3252 0 None None None 2021-08-24 08:05:26 UTC
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:05 UTC
Red Hat Product Errata RHSA-2022:5235 0 None None None 2022-06-28 09:47:13 UTC

Description Marian Rehak 2021-01-20 08:45:57 UTC
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input.

Reference:

https://bugs.python.org/issue42938
https://github.com/python/cpython/pull/24239

Comment 1 Marian Rehak 2021-01-20 08:47:19 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1918175]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1918177]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1918176]
Affects: fedora-all [bug 1918169]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1918170]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1918172]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1918173]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1918174]

Comment 3 Miro Hrončok 2021-01-20 12:26:02 UTC
I've asked Ned Deily to include the (already merged) fix in the upcoming 3.7.10 and 3.6.13 security releases.

Comment 4 Miro Hrončok 2021-01-20 13:17:31 UTC
(In reply to Miro Hrončok from comment #3)
> I've asked Ned Deily to include the (already merged) fix in the upcoming
> 3.7.10 and 3.6.13 security releases.

"Ned has postponed the upcoming security releases for the issue.
Benjamin's fix has landed two days ago. The fixes will be included in
3.7.10 and 3.6.13."

Comment 7 Miro Hrončok 2021-01-20 15:02:53 UTC
Other expected releases:

3.10.0a5: Monday, 2021-02-01

3.9.2rc1: Monday, 2021-02-01
3.9.2: Monday, 2021-02-15

3.8.8rc1: Monday, 2021-02-01
3.8.8: Monday, 2021-02-15

Comment 8 Riccardo Schirone 2021-01-21 10:31:57 UTC
Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 1918659]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1918660]


Created python27 tracking bugs for this issue:

Affects: fedora-all [bug 1918661]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 1918662]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 1918663]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 1918665]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 1918666]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 1918668]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 1918669]

Comment 10 Riccardo Schirone 2021-01-21 15:50:47 UTC
This issue affects also Python 2 versions, not only Python 3.

Comment 11 Riccardo Schirone 2021-01-21 15:54:10 UTC
The issue is in function PyCArg_repr(), which constructs a string to return to the caller by using a buffer allocated on the stack with a size of 256 bytes. This buffer is filled with the sprintf function and the input is not validated, thus it is possible to overflow the buffer when executing the sprintf. Function PyCArg_rep() is called when for example you execute the `from_param` method.

Comment 16 Riccardo Schirone 2021-01-22 09:21:42 UTC
Statement:

This flaw could have had a higher Impact, however our packages are compiled with FORTIFY_SOURCE, which provides runtime protection to some memory and string functions and prevents this flaw from actually overwriting the buffer and potentially executing code.

Comment 19 Miro Hrončok 2021-01-28 16:40:19 UTC
(In reply to Miro Hrončok from comment #4)
> (In reply to Miro Hrončok from comment #3)
> > I've asked Ned Deily to include the (already merged) fix in the upcoming
> > 3.7.10 and 3.6.13 security releases.
> 
> "Ned has postponed the upcoming security releases for the issue.
> Benjamin's fix has landed two days ago. The fixes will be included in
> 3.7.10 and 3.6.13."


The releases are postponed due to another security issue: https://bugs.python.org/issue42988

"Resolution of this issue is blocking 3.7.x and 3.6.x security releases and threatens to block upcoming maintenance releases."

Comment 20 Fedora Update System 2021-02-16 23:10:55 UTC
FEDORA-2021-e062e195e1 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Fedora Update System 2021-02-16 23:14:08 UTC
FEDORA-2021-7fa9dc84d4 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2021-05-18 13:51:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633

Comment 23 Product Security DevOps Team 2021-05-18 14:37:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3177

Comment 24 errata-xmlrpc 2021-05-18 14:50:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761

Comment 25 errata-xmlrpc 2021-05-18 15:48:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879

Comment 26 errata-xmlrpc 2021-08-24 08:05:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252

Comment 27 errata-xmlrpc 2021-08-24 08:09:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254

Comment 31 errata-xmlrpc 2022-06-28 09:47:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5235 https://access.redhat.com/errata/RHSA-2022:5235


Note You need to log in before you can comment on or make changes to this bug.