msg56020 - (view) |
Author: Ismail Donmez (donmez) * |
Date: 2007-09-19 01:02 |
As reported at
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065826.html
. There is an integer overflow in imageop module which results in an
interpreter crash. Original proof of concept code is attached.
|
msg56022 - (view) |
Author: Sean Reifschneider (jafo) * |
Date: 2007-09-19 02:27 |
It's unclear if this only causes a crash or if it can inject data.
Referenced mailing list post points out where one error is.
|
msg56042 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2007-09-19 17:25 |
Cartman, please refrain from using vulgarities in your sample code. It's
hard to take a bug report seriously with such variable names.
|
msg56045 - (view) |
Author: Sean Reifschneider (jafo) * |
Date: 2007-09-19 20:16 |
Guido: That code came from the full-disclosure list posting, I think
cartman was just passing it on.
|
msg56047 - (view) |
Author: James Antill (nevyn) |
Date: 2007-09-19 21:03 |
So I think this is all the places integer overflow checking is needed
in imageop.c and rbgimgmodule.c.
There might be checks here which can't be exploited anyway, and I
haven't checked any other files yet.
Feel free to comment.
Ps. This is against the 2.5 in Fedora-7, but it should apply to upstream.
|
msg56049 - (view) |
Author: Ismail Donmez (donmez) * |
Date: 2007-09-19 21:38 |
Guido,
The poc is taken as is, sorry.
|
msg56050 - (view) |
Author: James Antill (nevyn) |
Date: 2007-09-19 22:07 |
And now the obvious typo fix, *sigh*.
|
msg56051 - (view) |
Author: Ismail Donmez (donmez) * |
Date: 2007-09-19 22:24 |
nevyn: Your patch cleanly applies to python 2.4.4 and fixes the
interpreter crash with poc.py
Thanks.
|
msg56052 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2007-09-19 22:56 |
Hm. First of all, it seems the imageop module has completely missed the
Py_ssize_t changes.
Second, I don't think that "if ( x != len / y )" is a valid replacement
for "if ( x*y != len )" -- consider x==5, y==2, len==11.
|
msg56053 - (view) |
Author: James Antill (nevyn) |
Date: 2007-09-20 01:30 |
Guido: It's true that that len can be slightly bigger than x*y, the big
thing is that it can't be smaller so we can malloc(len) and use upto x*y
(which was my main focus).
I first looked at any of this code today, but I didn't see any reason
that having len be slightly larger would be a problem ... and in pretty
much all cases it'll be len == x*y.
However we could have both cases covered by doing:
if ( (len != x*y) || (x != (len / y)) )
...but esp. at that point it seems like we'd want some interface so that
we could just do something like:
if ( check_mutliplies2(len, x, y) )
|
msg56596 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2007-10-20 03:38 |
Neal, didn't you say you had a fix for this?
|
msg56659 - (view) |
Author: James Antill (nevyn) |
Date: 2007-10-22 21:43 |
Not sure who Neal is, and this probably isn't a final upstream fix ...
but it's what I've applied to Fedora's python. It's basically the same
patch as before, but it keeps the original * tests instead of just
replacing them with / tests. So given:
if x * y != len
...the first patch did:
if len / x != y
...and this patch does:
if x * y != len ||
len / x != y
|
msg58789 - (view) |
Author: Jim Panetta (jhpanetta) |
Date: 2007-12-19 02:54 |
Is this final yet? Our system security group is a little paranoid about
buffer overflows of any sort and are starting to make noises. I can
confirm that the Oct 20 patch applies against Python 2.5.1 on RHEL4, and
that the string length error is generated when running poc.py.
|
msg58820 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2007-12-19 20:03 |
Sigh. I'll try to make time to review & apply this.
|
msg58828 - (view) |
Author: James Antill (nevyn) |
Date: 2007-12-19 20:43 |
I've applied the last patch I posted to recent RHEL and Fedora
releases, and it doesn't seem to break anything ... and from what I
could see it fixed the problem.
|
msg58829 - (view) |
Author: Ismail Donmez (donmez) * |
Date: 2007-12-19 20:45 |
Same here for Pardus Linux, applied the patch without a regression.
|
msg63888 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2008-03-18 04:55 |
Sorry this missed the 2.5.2 release. I'll try to look again before
2.5.3 is imminent.
|
msg64682 - (view) |
Author: David Remahl (chmod007) |
Date: 2008-03-29 04:37 |
The following test cases still cause bus errors with the patch applied:
import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768)
|
msg64955 - (view) |
Author: Neal Norwitz (nnorwitz) * |
Date: 2008-04-05 01:04 |
I think this was a module that I skipped. I think Anthony might have
had a patch, but if we have a fix, I'm not sure it matters. We need to
fix this for 2.5.3, upping the priority.
|
msg65130 - (view) |
Author: David Remahl (chmod007) |
Date: 2008-04-07 23:32 |
Uploading patch that addresses the test cases above. It applies on top of
nevyn’s latest patch.
|
msg66394 - (view) |
Author: Barry A. Warsaw (barry) * |
Date: 2008-05-08 02:59 |
This is not a release blocker for 2.6 or 3.0.
|
msg66405 - (view) |
Author: Ismail Donmez (donmez) * |
Date: 2008-05-08 04:51 |
This _must_ be a release blocker for Python 3.0, Its a shame that this
bug still is not fixed and a patch is available for months now.
|
msg66407 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2008-05-08 04:54 |
imageop is deleted in 3.0. See PEP 3108. So it can't be a release
blocker. This also explains my general lack of interest in this module.
|
msg66408 - (view) |
Author: Ismail Donmez (donmez) * |
Date: 2008-05-08 05:42 |
I am sorry for the drama then, :)
|
msg70476 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2008-07-31 02:10 |
Does anybody still care about this for 2.6?
|
msg70744 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2008-08-05 15:59 |
The two segfaults reported in msg64682 are still there in 2.6.
I'm elevating this to release blocker but don't have time to fix this
myself.
|
msg71477 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2008-08-19 20:26 |
Looking into this now.
|
msg71483 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2008-08-19 21:02 |
Latest patches applied to 2.5 branch: r65878.
And to 2.6 trunk: r65880.
|
|
Date |
User |
Action |
Args |
2022-04-11 14:56:27 | admin | set | github: 45520 |
2008-08-19 21:02:22 | gvanrossum | set | status: open -> closed resolution: accepted messages:
+ msg71483 |
2008-08-19 20:26:18 | gvanrossum | set | messages:
+ msg71477 |
2008-08-16 01:26:41 | pitrou | set | nosy:
- pitrou |
2008-08-11 13:25:40 | pitrou | set | nosy:
+ pitrou |
2008-08-05 15:59:18 | gvanrossum | set | priority: critical -> release blocker assignee: gvanrossum -> messages:
+ msg70744 versions:
+ Python 2.6 |
2008-07-31 02:10:04 | benjamin.peterson | set | nosy:
+ benjamin.peterson messages:
+ msg70476 |
2008-05-08 05:42:10 | donmez | set | messages:
+ msg66408 |
2008-05-08 04:54:58 | gvanrossum | set | messages:
+ msg66407 |
2008-05-08 04:51:38 | donmez | set | messages:
+ msg66405 |
2008-05-08 02:59:07 | barry | set | priority: release blocker -> critical nosy:
+ barry messages:
+ msg66394 |
2008-04-07 23:32:29 | chmod007 | set | files:
+ python-2.5-int-overflow-2.patch messages:
+ msg65130 |
2008-04-05 01:04:05 | nnorwitz | set | priority: high -> release blocker nosy:
+ anthonybaxter messages:
+ msg64955 |
2008-04-04 12:49:06 | matejcik | set | nosy:
+ matejcik |
2008-03-29 04:37:26 | chmod007 | set | nosy:
+ chmod007 messages:
+ msg64682 |
2008-03-18 04:55:58 | gvanrossum | set | messages:
+ msg63888 components:
+ Extension Modules, - Library (Lib) |
2007-12-19 20:45:50 | donmez | set | messages:
+ msg58829 |
2007-12-19 20:43:22 | nevyn | set | messages:
+ msg58828 |
2007-12-19 20:03:39 | gvanrossum | set | assignee: gvanrossum messages:
+ msg58820 |
2007-12-19 02:54:29 | jhpanetta | set | nosy:
+ jhpanetta messages:
+ msg58789 |
2007-10-22 21:43:05 | nevyn | set | files:
+ python-2.5.CVE-2007-4965-int-overflow.patch messages:
+ msg56659 |
2007-10-20 03:38:31 | gvanrossum | set | nosy:
+ nnorwitz messages:
+ msg56596 |
2007-09-25 04:53:34 | loewis | set | keywords:
+ patch |
2007-09-20 17:28:22 | jafo | set | priority: high |
2007-09-20 01:30:23 | nevyn | set | messages:
+ msg56053 |
2007-09-19 22:56:18 | gvanrossum | set | priority: high -> (no value) messages:
+ msg56052 |
2007-09-19 22:24:31 | donmez | set | messages:
+ msg56051 |
2007-09-19 22:07:02 | nevyn | set | files:
+ python-2.5.CVE-2007-4965-int-overflow.patch messages:
+ msg56050 |
2007-09-19 21:38:38 | donmez | set | messages:
+ msg56049 |
2007-09-19 21:05:04 | nevyn | set | files:
+ python-2.5.CVE-2007-4965-int-overflow.patch |
2007-09-19 21:03:52 | nevyn | set | nosy:
+ nevyn messages:
+ msg56047 |
2007-09-19 20:16:31 | jafo | set | messages:
+ msg56045 |
2007-09-19 17:25:50 | gvanrossum | set | nosy:
+ gvanrossum messages:
+ msg56042 |
2007-09-19 02:27:43 | jafo | set | priority: high nosy:
+ jafo messages:
+ msg56022 |
2007-09-19 01:02:34 | donmez | create | |