+++ This bug was initially created as a clone of Bug #235093 +++ Description of problem: Modules/_localemodule.c:361 356 n1 = strlen(s) + 1; 357 buf = PyMem_Malloc(n1); 358 if (!buf) 359 return PyErr_NoMemory(); 360 n2 = strxfrm(buf, s, n1); In case the transformed string is longer than original string... (see the PoC for an exapmle) 361 if (n2 > n1) { 362 /* more space needed */ We allocate n2 bytes here: 363 buf = PyMem_Realloc(buf, n2); 364 if (!buf) 365 return PyErr_NoMemory(); And here the string will be n2 chars long and terminating NUL won't fit and thus the string won't be terminated what can lead to an information leak in certain rare cases (see the original Debian report for details). 366 strxfrm(buf, s, n2); 367 } 368 result = PyString_FromString(buf); 369 PyMem_Free(buf); 370 return result; 371 } 372 373 #if defined(MS_WINDOWS) 374 static PyObject* 375 PyLocale_getdefaultlocale(PyObject* self) Version-Release number of selected component (if applicable): FC5, FC6, RHEL2.1, RHEL3, RHEL4, RHEL5 How reproducible: Proof of concept code attached. Additional info: See the URL for an original bug report to Debian and PoC by Piotr Engelking. It contains details on how to reproduce and recognize the flaw. -- Additional comment from lkundrak on 2007-04-03 14:55 EST -- Created an attachment (id=151611) Python's locale.strxfrm() off-by-one flaw PoC
The fix is a nice one-liner: http://svn.python.org/view/python/branches/release25-maint/Modules/_localemodule.c?rev=54670&r1=51333&r2=54670&makepatch=1&diff_format=h Colored diff for the patch: http://svn.python.org/view/python/branches/release25-maint/Modules/_localemodule.c?rev=54670&r1=51333&r2=54670
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
This bug is open for a Fedora version that is no longer maintained and will not be fixed by Fedora. Therefore we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen thus bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.