classification
Title: [CVE-2007-4965] Integer overflow in imageop module
Type: security Stage:
Components: Extension Modules Versions: Python 2.6, Python 2.5
process
Status: closed Resolution: accepted
Dependencies: Superseder:
Assigned To: Nosy List: anthonybaxter, barry, benjamin.peterson, cartman, chmod007, gvanrossum, jafo, jhpanetta, matejcik, nevyn, nnorwitz
Priority: release blocker Keywords: patch

Created on 2007-09-19 01:02 by cartman, last changed 2008-08-19 21:02 by gvanrossum. This issue is now closed.

Files
File name Uploaded Description Edit
poc.py cartman, 2007-09-19 01:02
python-2.5.CVE-2007-4965-int-overflow.patch nevyn, 2007-09-19 21:05
python-2.5.CVE-2007-4965-int-overflow.patch nevyn, 2007-09-19 22:07
python-2.5.CVE-2007-4965-int-overflow.patch nevyn, 2007-10-22 21:43
python-2.5-int-overflow-2.patch chmod007, 2008-04-07 23:32
Messages (28)
msg56020 - (view) Author: Ismail Donmez (cartman) Date: 2007-09-19 01:02
As reported at
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065826.html
. There is an integer overflow in imageop module which results in an
interpreter crash. Original proof of concept code is attached.
msg56022 - (view) Author: Sean Reifschneider (jafo) * (Python committer) Date: 2007-09-19 02:27
It's unclear if this only causes a crash or if it can inject data. 
Referenced mailing list post points out where one error is.
msg56042 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-09-19 17:25
Cartman, please refrain from using vulgarities in your sample code. It's
hard to take a bug report seriously with such variable names.
msg56045 - (view) Author: Sean Reifschneider (jafo) * (Python committer) Date: 2007-09-19 20:16
Guido: That code came from the full-disclosure list posting, I think
cartman was just passing it on.
msg56047 - (view) Author: James Antill (nevyn) Date: 2007-09-19 21:03
So I think this is all the places integer overflow checking is needed
in imageop.c and rbgimgmodule.c.
 There might be checks here which can't be exploited anyway, and I
haven't checked any other files yet.

 Feel free to comment.

 Ps. This is against the 2.5 in Fedora-7, but it should apply to upstream.
msg56049 - (view) Author: Ismail Donmez (cartman) Date: 2007-09-19 21:38
Guido,

The poc is taken as is, sorry.
msg56050 - (view) Author: James Antill (nevyn) Date: 2007-09-19 22:07
And now the obvious typo fix, *sigh*.
msg56051 - (view) Author: Ismail Donmez (cartman) Date: 2007-09-19 22:24
nevyn: Your patch cleanly applies to python 2.4.4 and fixes the
interpreter crash with poc.py

Thanks.
msg56052 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-09-19 22:56
Hm. First of all, it seems the imageop module has completely missed the
Py_ssize_t changes.

Second, I don't think that "if ( x != len / y )" is a valid replacement
for "if ( x*y != len )" -- consider x==5, y==2, len==11.
msg56053 - (view) Author: James Antill (nevyn) Date: 2007-09-20 01:30
Guido: It's true that that len can be slightly bigger than x*y, the big
thing is that it can't be smaller so we can malloc(len) and use upto x*y
(which was my main focus).
 I first looked at any of this code today, but I didn't see any reason
that having len be slightly larger would be a problem ... and in pretty
much all cases it'll be len == x*y.

 However we could have both cases covered by doing:

 if ( (len != x*y) || (x != (len / y)) )

...but esp. at that point it seems like we'd want some interface so that
we could just do something like:

 if ( check_mutliplies2(len, x, y) )
msg56596 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-10-20 03:38
Neal, didn't you say you had a fix for this?
msg56659 - (view) Author: James Antill (nevyn) Date: 2007-10-22 21:43
Not sure who Neal is, and this probably isn't a final upstream fix ...
but it's what I've applied to Fedora's python. It's basically the same
patch as before, but it keeps the original * tests instead of just
replacing them with / tests. So given:

 if x * y != len

...the first patch did:

 if len / x != y

...and this patch does:

 if x * y != len ||
    len / x != y
msg58789 - (view) Author: Jim Panetta (jhpanetta) Date: 2007-12-19 02:54
Is this final yet?  Our system security group is a little paranoid about
buffer overflows of any sort and are starting to make noises.  I can
confirm that the Oct 20 patch applies against Python 2.5.1 on RHEL4, and
that the string length error is generated when running poc.py.
msg58820 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-12-19 20:03
Sigh. I'll try to make time to review & apply this.
msg58828 - (view) Author: James Antill (nevyn) Date: 2007-12-19 20:43
I've applied the last patch I posted to recent RHEL and Fedora
releases, and it doesn't seem to break anything ... and from what I
could see it fixed the problem.
msg58829 - (view) Author: Ismail Donmez (cartman) Date: 2007-12-19 20:45
Same here for Pardus Linux, applied the patch without a regression.
msg63888 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-03-18 04:55
Sorry this missed the 2.5.2 release.  I'll try to look again before
2.5.3 is imminent.
msg64682 - (view) Author: David Remahl (chmod007) Date: 2008-03-29 04:37
The following test cases still cause bus errors with the patch applied:

import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768)
msg64955 - (view) Author: Neal Norwitz (nnorwitz) * (Python committer) Date: 2008-04-05 01:04
I think this was a module that I skipped.  I think Anthony might have
had a patch, but if we have a fix, I'm not sure it matters.  We need to
fix this for 2.5.3, upping the priority.
msg65130 - (view) Author: David Remahl (chmod007) Date: 2008-04-07 23:32
Uploading patch that addresses the test cases above. It applies on top of 
nevyn’s latest patch.
msg66394 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2008-05-08 02:59
This is not a release blocker for 2.6 or 3.0.
msg66405 - (view) Author: Ismail Donmez (cartman) Date: 2008-05-08 04:51
This _must_ be a release blocker for Python 3.0, Its a shame that this
bug still is not fixed and a patch is available for months now.
msg66407 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-05-08 04:54
imageop is deleted in 3.0. See PEP 3108. So it can't be a release
blocker. This also explains my general lack of interest in this module.
msg66408 - (view) Author: Ismail Donmez (cartman) Date: 2008-05-08 05:42
I am sorry for the drama then, :)
msg70476 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-07-31 02:10
Does anybody still care about this for 2.6?
msg70744 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-08-05 15:59
The two segfaults reported in msg64682 are still there in 2.6.
I'm elevating this to release blocker but don't have time to fix this
myself.
msg71477 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-08-19 20:26
Looking into this now.
msg71483 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-08-19 21:02
Latest patches applied to 2.5 branch: r65878.
And to 2.6 trunk: r65880.
History
Date User Action Args
2008-08-19 21:02:22gvanrossumsetstatus: open -> closed
resolution: accepted
messages: + msg71483
2008-08-19 20:26:18gvanrossumsetmessages: + msg71477
2008-08-16 01:26:41pitrousetnosy: - pitrou
2008-08-11 13:25:40pitrousetnosy: + pitrou
2008-08-05 15:59:18gvanrossumsetpriority: critical -> release blocker
assignee: gvanrossum ->
messages: + msg70744
versions: + Python 2.6
2008-07-31 02:10:04benjamin.petersonsetnosy: + benjamin.peterson
messages: + msg70476
2008-05-08 05:42:10cartmansetmessages: + msg66408
2008-05-08 04:54:58gvanrossumsetmessages: + msg66407
2008-05-08 04:51:38cartmansetmessages: + msg66405
2008-05-08 02:59:07barrysetpriority: release blocker -> critical
nosy: + barry
messages: + msg66394
2008-04-07 23:32:29chmod007setfiles: + python-2.5-int-overflow-2.patch
messages: + msg65130
2008-04-05 01:04:05nnorwitzsetpriority: high -> release blocker
nosy: + anthonybaxter
messages: + msg64955
2008-04-04 12:49:06matejciksetnosy: + matejcik
2008-03-29 04:37:26chmod007setnosy: + chmod007
messages: + msg64682
2008-03-18 04:55:58gvanrossumsetmessages: + msg63888
components: + Extension Modules, - Library (Lib)
2007-12-19 20:45:50cartmansetmessages: + msg58829
2007-12-19 20:43:22nevynsetmessages: + msg58828
2007-12-19 20:03:39gvanrossumsetassignee: gvanrossum
messages: + msg58820
2007-12-19 02:54:29jhpanettasetnosy: + jhpanetta
messages: + msg58789
2007-10-22 21:43:05nevynsetfiles: + python-2.5.CVE-2007-4965-int-overflow.patch
messages: + msg56659
2007-10-20 03:38:31gvanrossumsetnosy: + nnorwitz
messages: + msg56596
2007-09-25 04:53:34loewissetkeywords: + patch
2007-09-20 17:28:22jafosetpriority: high
2007-09-20 01:30:23nevynsetmessages: + msg56053
2007-09-19 22:56:18gvanrossumsetpriority: high -> (no value)
messages: + msg56052
2007-09-19 22:24:31cartmansetmessages: + msg56051
2007-09-19 22:07:02nevynsetfiles: + python-2.5.CVE-2007-4965-int-overflow.patch
messages: + msg56050
2007-09-19 21:38:38cartmansetmessages: + msg56049
2007-09-19 21:05:04nevynsetfiles: + python-2.5.CVE-2007-4965-int-overflow.patch
2007-09-19 21:03:52nevynsetnosy: + nevyn
messages: + msg56047
2007-09-19 20:16:31jafosetmessages: + msg56045
2007-09-19 17:25:50gvanrossumsetnosy: + gvanrossum
messages: + msg56042
2007-09-19 02:27:43jafosetpriority: high
nosy: + jafo
messages: + msg56022
2007-09-19 01:02:34cartmancreate