classification
Title: Buffer overrun in winreg.c
Type: crash Stage:
Components: Interpreter Core Versions: Python 3.4, Python 3.2, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: amaury.forgeotdarc, kristjan.jonsson, loewis, python-dev
Priority: normal Keywords: patch

Created on 2012-04-01 20:24 by kristjan.jonsson, last changed 2012-04-02 15:43 by kristjan.jonsson. This issue is now closed.

Files
File name Uploaded Description Edit
winreg.patch kristjan.jonsson, 2012-04-01 20:24 review
Messages (7)
msg157329 - (view) Author: Kristján Valur Jónsson (kristjan.jonsson) * (Python committer) Date: 2012-04-01 20:24
I found this issue with code analyzer in VS2010.
The problem applies to all 3.x versions, but there is no corresponding winreg.c file in 2.x.
Since I'm not sure of the maintenance state of the individual branches, I'm creating this defect hoping for guidance. Which branches should be fixed?
msg157336 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-04-01 23:47
The patch looks fine. As it's not a security fix, it should go into 3.2 and default.
msg157344 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2012-04-02 08:57
In 2.7, the file is named _winreg.c.  But the patch does not apply there, because it's using the ANSI (=bytes) API.
msg157345 - (view) Author: Kristján Valur Jónsson (kristjan.jonsson) * (Python committer) Date: 2012-04-02 09:16
Thanks.
Martin, what constitutes a security fix for Python?  For example, isn't it conceivable that one could place a long key into some registry setting used by python and thus interfere with its stack?  Aren't stack buffer overruns a classic security hole?
msg157352 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-04-02 12:17
> Martin, what constitutes a security fix for Python?  For example,  
> isn't it conceivable that one could place a long key into some  
> registry setting used by python and thus interfere with its stack?

If it has a CVE identifier, it's a security fix. Otherwise, I'd apply
standard risk assessment procedures, and ask the release manager for
judgement.

> Aren't stack buffer overruns a classic security hole?

My personal risk assessment of this issue is that it has a fairly low
risk, as the likelihood of an attack is low. Just placing a key in the
registry is not sufficient as an attack: one would also need a different
user who has a Python application that enumerates this part of the
registry. In that scenario, the user would have to be unprivileged (*), i.e.
would not have write permissions to either HKLM nor HKCR. Writing to HKCU
does not constitute a threat, since it would only allow to crash your own
Python applications.

There may be opportunities where an administrator has a script that
traverses HKEY_USERS while a different user is logged on. Given that the
threat of being discovered is very high for the attacker, and given that
the typical Windows installation does not use concurrent logins, and
given that traversing HKEY_USERS is uncommon, I think the risk of this
threat is really low.

(*) an administrator user could just as well replace the Python DLL,
causing a threat regardless of the winreg module.
msg157353 - (view) Author: Kristján Valur Jónsson (kristjan.jonsson) * (Python committer) Date: 2012-04-02 12:30
Thanks for the your info/insight,  Martin.  I'll update 3.2 and 3.3. as you suggest then.
msg157367 - (view) Author: Roundup Robot (python-dev) Date: 2012-04-02 15:41
New changeset b3639f6aaa2b by Kristján Valur Jónsson in branch '3.2':
Issue #14471: Fix a possible buffer overrun in the winreg module.
http://hg.python.org/cpython/rev/b3639f6aaa2b

New changeset 80d814d7b886 by Kristján Valur Jónsson in branch 'default':
Merge with 3.2 (Issue #14471)
http://hg.python.org/cpython/rev/80d814d7b886
History
Date User Action Args
2012-04-02 15:43:02kristjan.jonssonsetstatus: open -> closed
resolution: fixed
2012-04-02 15:41:34python-devsetnosy: + python-dev
messages: + msg157367
2012-04-02 12:30:49kristjan.jonssonsetmessages: + msg157353
2012-04-02 12:17:43loewissetmessages: + msg157352
2012-04-02 09:16:07kristjan.jonssonsetmessages: + msg157345
2012-04-02 08:57:56amaury.forgeotdarcsetnosy: + amaury.forgeotdarc
messages: + msg157344
2012-04-01 23:48:09loewissetversions: - Python 3.1
2012-04-01 23:47:54loewissetmessages: + msg157336
2012-04-01 21:54:50pitrousetnosy: + loewis
2012-04-01 20:24:41kristjan.jonssonsettitle: Buffer oferrun in winreg.c -> Buffer overrun in winreg.c
2012-04-01 20:24:32kristjan.jonssoncreate