FS#57813 - [python2] Heap-Buffer-Overflow: CVE-2018-1000030

Attached to Project: Arch Linux
Opened by Luke (Gaming4JC) - Tuesday, 13 March 2018, 03:00 GMT
Last edited by freswa (frederik) - Friday, 04 September 2020, 21:34 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Angel Velasquez (angvp)
Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a
Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable
and it appears that Python 2.7.17 and prior may also be vulnerable however
this has not been confirmed. The vulnerability lies when multiply threads
are handling large amounts of data. In both cases there is essentially a
race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is
creating the size for a buffer, but Thread1 is already writing to the
buffer without knowing how much to write. So when a large amount of data is
being processed, it is very easy to cause memory corruption using a
Heap-Buffer-Overflow. As for the Use-After-Free,
Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT
has stated that this is not a security vulnerability due to the fact that
the attacker must be able to run code, however in some situations, such as
function as a service, this vulnerability can potentially be used by an
attacker to violate a trust boundary, as such the DWF feels this issue
deserves a CVE.


Additional info:
* package version(s) 2.7.14-2

Further tracking: https://security-tracker.debian.org/tracker/CVE-2018-1000030
This task depends upon

Closed by  freswa (frederik)
Friday, 04 September 2020, 21:34 GMT
Reason for closing:  Fixed
Additional comments about closing:  python2 2.7.15-1
Comment by Luke (Gaming4JC) - Tuesday, 13 March 2018, 23:16 GMT
Per upstream, two commits were pushed to fix this CVE. This combineddiff .patch includes both of those commits.

https://bugs.python.org/issue31530

Commit 1 -> https://bugs.python.org/issue31530#msg306021
Commit 2 -> https://bugs.python.org/issue31530#msg309386

Also attaching updated PKGBUILD.
Comment by loqs (loqs) - Sunday, 17 March 2019, 18:07 GMT
The issue appears to have been fixed in https://github.com/python/cpython/commits/v2.7.15/Objects/fileobject.c
@Gaming4JC can you confirm this?

Loading...