This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: integer overflow in 'buffer' type allows reading memory
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 2.7
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, Henri.Salo, benjamin.peterson, python-dev
Priority: release blocker Keywords:

Created on 2014-06-24 03:11 by benjamin.peterson, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg221392 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2014-06-24 03:11
Reported by Chris Foster on the security list:

$ ./python 
Python 2.7.7+ (2.7:8e0b7393e921, Jun 24 2014, 03:01:40) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> a = bytearray('hola mundo')
>>> b = buffer(a, 0x7fffffff, 0x7fffffff)
>>> print repr(b[:0x100])
"\x00\x08\x11\x00\x00\x00\x00\x00\x00\x00\xa00_\xf7\x10\x00\x00\x00i\x03\x00\x00\x02\x00\x00\x00\xa0\xd1\x18\x08I\x03\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00Directory tree walk with callback function.\n\n    For each directory in the directory tree rooted at top (including top\n    itself, but excluding '.' and '..'), call func(arg, dirname, fnames).\n    dirname is the na"
msg221393 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-06-24 03:13
New changeset 8d963c7db507 by Benjamin Peterson in branch '2.7':
avoid overflow with large buffer sizes and/or offsets (closes #21831)
msg227578 - (view) Author: Henri Salo (Henri.Salo) Date: 2014-09-25 21:34
msg228341 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-10-03 17:09
New changeset 5ef28c22dc24 by doko in branch '2.7':
- Add CVE number for Issue #21831
Date User Action Args
2022-04-11 14:58:05adminsetgithub: 66030
2014-10-03 17:09:10python-devsetmessages: + msg228341
2014-09-30 13:40:35Arfreversetnosy: + Arfrever
2014-09-25 21:34:31Henri.Salosetnosy: + Henri.Salo
messages: + msg227578
2014-06-24 03:13:54python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg221393

resolution: fixed
stage: resolved
2014-06-24 03:11:23benjamin.petersoncreate