classification
Title: integer overflow in 'buffer' type allows reading memory
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, Henri.Salo, benjamin.peterson, python-dev
Priority: release blocker Keywords:

Created on 2014-06-24 03:11 by benjamin.peterson, last changed 2014-10-03 17:09 by python-dev. This issue is now closed.

Messages (4)
msg221392 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2014-06-24 03:11
Reported by Chris Foster on the security list:

$ ./python 
Python 2.7.7+ (2.7:8e0b7393e921, Jun 24 2014, 03:01:40) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> a = bytearray('hola mundo')
>>> b = buffer(a, 0x7fffffff, 0x7fffffff)
>>> print repr(b[:0x100])
"\x00\x08\x11\x00\x00\x00\x00\x00\x00\x00\xa00_\xf7\x10\x00\x00\x00i\x03\x00\x00\x02\x00\x00\x00\xa0\xd1\x18\x08I\x03\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00Directory tree walk with callback function.\n\n    For each directory in the directory tree rooted at top (including top\n    itself, but excluding '.' and '..'), call func(arg, dirname, fnames).\n    dirname is the na"
msg221393 - (view) Author: Roundup Robot (python-dev) Date: 2014-06-24 03:13
New changeset 8d963c7db507 by Benjamin Peterson in branch '2.7':
avoid overflow with large buffer sizes and/or offsets (closes #21831)
http://hg.python.org/cpython/rev/8d963c7db507
msg227578 - (view) Author: Henri Salo (Henri.Salo) Date: 2014-09-25 21:34
CVE-2014-7185
msg228341 - (view) Author: Roundup Robot (python-dev) Date: 2014-10-03 17:09
New changeset 5ef28c22dc24 by doko in branch '2.7':
- Add CVE number for Issue #21831
https://hg.python.org/cpython/rev/5ef28c22dc24
History
Date User Action Args
2014-10-03 17:09:10python-devsetmessages: + msg228341
2014-09-30 13:40:35Arfreversetnosy: + Arfrever
2014-09-25 21:34:31Henri.Salosetnosy: + Henri.Salo
messages: + msg227578
2014-06-24 03:13:54python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg221393

resolution: fixed
stage: resolved
2014-06-24 03:11:23benjamin.petersoncreate