Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-4616

Source

Debian Bug report logs - #752395
python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory

Package: python2.7; Maintainer for python2.7 is Matthias Klose <doko@debian.org>; Source for python2.7 is src:python2.7 (PTS, buildd, popcon).

Reported by: Gert van Dijk <gertvdijk@gmail.com>

Date: Mon, 23 Jun 2014 11:45:02 UTC

Severity: normal

Tags: patch, security

Found in versions python2.7/2.7.3-6, python2.7/2.7.3-6+deb7u2

Fixed in version python2.7/2.7.7-1

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#752395; Package python2.7. (Mon, 23 Jun 2014 11:45:07 GMT) (full text, mbox, link).

Acknowledgement sent to Gert van Dijk <gertvdijk@gmail.com>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (Mon, 23 Jun 2014 11:45:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: python2.7
Version: 2.7.3-6+deb7u2
Severity: normal
Tags: security,patch

Dear Maintainer,

As reported upstream, the JSON module of Python is vulnerable for reading
arbitrary process memory. Please apply the patch as included in the bug report
http://bugs.python.org/issue21529

I'm not aware of any CVE assigned to this bug.

Patch is applied upstream in 2.7.7, so this only applies to wheezy and
squeeze-lts.

--- python2.7-2.7.3/Modules/_json.c     2012-04-10 01:07:33.000000000 +0200
+++ python2.7-2.7.3-withpatch/Modules/_json.c   2014-06-23
13:40:15.647298884 +0200
@@ -1491,7 +1491,7 @@
     PyObject *res;
     char *str = PyString_AS_STRING(pystr);
     Py_ssize_t length = PyString_GET_SIZE(pystr);
-    if (idx >= length) {
+    if ( idx < 0 || idx >= length) {
         PyErr_SetNone(PyExc_StopIteration);
         return NULL;
     }
@@ -1578,7 +1578,7 @@
     PyObject *res;
     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
-    if (idx >= length) {
+    if ( idx < 0 || idx >= length) {
         PyErr_SetNone(PyExc_StopIteration);
         return NULL;
     }

-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python2.7 depends on:
ii  libbz2-1.0         1.0.6-4
ii  libc6              2.13-38+deb7u1
ii  libdb5.1           5.1.29-5
ii  libexpat1          2.1.0-1+deb7u1
ii  libgcc1            1:4.7.2-5
ii  libncursesw5       5.9-10
ii  libreadline6       6.2+dfsg-0.1
ii  libsqlite3-0       3.7.13-1+deb7u1
ii  libtinfo5          5.9-10
ii  mime-support       3.52-1
ii  python2.7-minimal  2.7.3-6+deb7u2

python2.7 recommends no packages.

Versions of packages python2.7 suggests:
ii  binutils       2.22-8
pn  python2.7-doc  <none>

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#752395; Package python2.7. (Mon, 23 Jun 2014 13:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to Vasyl Kaigorodov <vkaigoro@redhat.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Mon, 23 Jun 2014 13:57:05 GMT) (full text, mbox, link).

Message #10 received at 752395@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

It was reported [1] that Python built-in _json module have a flaw
(insufficient bounds checking), which allows a local user to read
current process' arbitrary memory.
From initial bug report [1]:
...
The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.
...

Can a CVE ID be assigned to this issue please?
Also CC'ing the Debian bugreport here.


References:
[1] Upstream bug report with additional technical details: http://bugs.python.org/issue21529
[2] Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
[3] RedHat bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1112285

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security Team
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

[Message part 2 (application/pgp-signature, inline)]

Marked as found in versions python2.7/2.7.3-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 23 Jun 2014 18:39:20 GMT) (full text, mbox, link).

Marked as fixed in versions python2.7/2.7.7-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 23 Jun 2014 18:39:21 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#752395; Package python2.7. (Mon, 23 Jun 2014 19:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Gert van Dijk <gertvdijk@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Mon, 23 Jun 2014 19:57:04 GMT) (full text, mbox, link).

Message #19 received at 752395@bugs.debian.org (full text, mbox, reply):

Should I submit an additional bug report for the python3 package?
It affects Python 3.x in a similar way (see the upstream bug report).

--
Gert van Dijk

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#752395; Package python2.7. (Tue, 24 Jun 2014 06:03:17 GMT) (full text, mbox, link).

Acknowledgement sent to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Tue, 24 Jun 2014 06:03:17 GMT) (full text, mbox, link).

Message #24 received at 752395@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The bug is caused by allowing the user to supply a negative index
> value.

> http://bugs.python.org/issue21529
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
> https://bugzilla.redhat.com/show_bug.cgi?id=1112285
> https://hackerone.com/reports/12297

Use CVE-2014-4616.

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395#5
> Package: python2.7

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395#19
> It affects Python 3.x in a similar way

The same CVE ID applies to affected Python 2.x and 3.x versions.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTqRPQAAoJEKllVAevmvmsjAkH+wSAH88T3s7cwEKRgKJRiOIY
Gpuk14cxNukkHmA4RuaCqa8Tn/itTQIej+m4bYD6lKw8VZke3OfIK8mh8gele47w
brEXQCO7Ie0+2ohGsAmjT5tUsOC9ZaTmj3Yg1ZqJkCcAIfGHk68m8dBlL2uqooPy
RQ38a2dPvMw14vL9mK/OY1StiQiZRK56GpbsL5JE85n1mHft6jWLpIm8d5Pf4Toy
+mwwpiG2FLHMb4EgzllDRw/wDMfxtsMT4UFd6gVdb7Oau2/CR10+uLZzIDbN3o4q
Bi1ScXCizjpKUl7+Sy8ZsZj1t7VMRaDyzeGlULUAO4/E6wuDVrw0G4jaJXMEkhY=
=i8ZP
-----END PGP SIGNATURE-----

Changed Bug title to 'python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory' from 'python2.7: JSON module: reading arbitrary process memory' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 24 Jun 2014 06:21:05 GMT) (full text, mbox, link).

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Thu, 31 Aug 2017 09:09:09 GMT) (full text, mbox, link).

Notification sent to Gert van Dijk <gertvdijk@gmail.com>:
Bug acknowledged by developer. (Thu, 31 Aug 2017 09:09:09 GMT) (full text, mbox, link).

Message #31 received at 752395-done@bugs.debian.org (full text, mbox, reply):

fixed in oldstable and stable

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 29 Sep 2017 07:30:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:32:23 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory

Debian Bug report logs - #752395
python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory

Vulmon Search

About

Products

Connect

python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory

Debian Bug report logs - #752395 python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory

Vulmon Search

About

Products

Connect

Debian Bug report logs - #752395
python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory