Debian Bug report logs -
#752395
python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory
Reported by: Gert van Dijk <gertvdijk@gmail.com>
Date: Mon, 23 Jun 2014 11:45:02 UTC
Severity: normal
Tags: patch, security
Found in versions python2.7/2.7.3-6, python2.7/2.7.3-6+deb7u2
Fixed in version python2.7/2.7.7-1
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#752395
; Package python2.7
.
(Mon, 23 Jun 2014 11:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Gert van Dijk <gertvdijk@gmail.com>
:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 23 Jun 2014 11:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python2.7
Version: 2.7.3-6+deb7u2
Severity: normal
Tags: security,patch
Dear Maintainer,
As reported upstream, the JSON module of Python is vulnerable for reading
arbitrary process memory. Please apply the patch as included in the bug report
http://bugs.python.org/issue21529
I'm not aware of any CVE assigned to this bug.
Patch is applied upstream in 2.7.7, so this only applies to wheezy and
squeeze-lts.
--- python2.7-2.7.3/Modules/_json.c 2012-04-10 01:07:33.000000000 +0200
+++ python2.7-2.7.3-withpatch/Modules/_json.c 2014-06-23
13:40:15.647298884 +0200
@@ -1491,7 +1491,7 @@
PyObject *res;
char *str = PyString_AS_STRING(pystr);
Py_ssize_t length = PyString_GET_SIZE(pystr);
- if (idx >= length) {
+ if ( idx < 0 || idx >= length) {
PyErr_SetNone(PyExc_StopIteration);
return NULL;
}
@@ -1578,7 +1578,7 @@
PyObject *res;
Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
- if (idx >= length) {
+ if ( idx < 0 || idx >= length) {
PyErr_SetNone(PyExc_StopIteration);
return NULL;
}
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python2.7 depends on:
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38+deb7u1
ii libdb5.1 5.1.29-5
ii libexpat1 2.1.0-1+deb7u1
ii libgcc1 1:4.7.2-5
ii libncursesw5 5.9-10
ii libreadline6 6.2+dfsg-0.1
ii libsqlite3-0 3.7.13-1+deb7u1
ii libtinfo5 5.9-10
ii mime-support 3.52-1
ii python2.7-minimal 2.7.3-6+deb7u2
python2.7 recommends no packages.
Versions of packages python2.7 suggests:
ii binutils 2.22-8
pn python2.7-doc <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#752395
; Package python2.7
.
(Mon, 23 Jun 2014 13:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Vasyl Kaigorodov <vkaigoro@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 23 Jun 2014 13:57:05 GMT) (full text, mbox, link).
Message #10 received at 752395@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
It was reported [1] that Python built-in _json module have a flaw
(insufficient bounds checking), which allows a local user to read
current process' arbitrary memory.
From initial bug report [1]:
...
The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.
The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.
...
Can a CVE ID be assigned to this issue please?
Also CC'ing the Debian bugreport here.
References:
[1] Upstream bug report with additional technical details: http://bugs.python.org/issue21529
[2] Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
[3] RedHat bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1112285
Thanks.
--
Vasyl Kaigorodov | Red Hat Product Security Team
PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
[Message part 2 (application/pgp-signature, inline)]
Marked as found in versions python2.7/2.7.3-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 23 Jun 2014 18:39:20 GMT) (full text, mbox, link).
Marked as fixed in versions python2.7/2.7.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 23 Jun 2014 18:39:21 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#752395
; Package python2.7
.
(Mon, 23 Jun 2014 19:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gert van Dijk <gertvdijk@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 23 Jun 2014 19:57:04 GMT) (full text, mbox, link).
Message #19 received at 752395@bugs.debian.org (full text, mbox, reply):
Should I submit an additional bug report for the python3 package?
It affects Python 3.x in a similar way (see the upstream bug report).
--
Gert van Dijk
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#752395
; Package python2.7
.
(Tue, 24 Jun 2014 06:03:17 GMT) (full text, mbox, link).
Acknowledgement sent
to cve-assign@mitre.org
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Tue, 24 Jun 2014 06:03:17 GMT) (full text, mbox, link).
Message #24 received at 752395@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> The bug is caused by allowing the user to supply a negative index
> value.
> http://bugs.python.org/issue21529
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
> https://bugzilla.redhat.com/show_bug.cgi?id=1112285
> https://hackerone.com/reports/12297
Use CVE-2014-4616.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395#5
> Package: python2.7
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395#19
> It affects Python 3.x in a similar way
The same CVE ID applies to affected Python 2.x and 3.x versions.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJTqRPQAAoJEKllVAevmvmsjAkH+wSAH88T3s7cwEKRgKJRiOIY
Gpuk14cxNukkHmA4RuaCqa8Tn/itTQIej+m4bYD6lKw8VZke3OfIK8mh8gele47w
brEXQCO7Ie0+2ohGsAmjT5tUsOC9ZaTmj3Yg1ZqJkCcAIfGHk68m8dBlL2uqooPy
RQ38a2dPvMw14vL9mK/OY1StiQiZRK56GpbsL5JE85n1mHft6jWLpIm8d5Pf4Toy
+mwwpiG2FLHMb4EgzllDRw/wDMfxtsMT4UFd6gVdb7Oau2/CR10+uLZzIDbN3o4q
Bi1ScXCizjpKUl7+Sy8ZsZj1t7VMRaDyzeGlULUAO4/E6wuDVrw0G4jaJXMEkhY=
=i8ZP
-----END PGP SIGNATURE-----
Changed Bug title to 'python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory' from 'python2.7: JSON module: reading arbitrary process memory'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 Jun 2014 06:21:05 GMT) (full text, mbox, link).
Reply sent
to Matthias Klose <doko@debian.org>
:
You have taken responsibility.
(Thu, 31 Aug 2017 09:09:09 GMT) (full text, mbox, link).
Notification sent
to Gert van Dijk <gertvdijk@gmail.com>
:
Bug acknowledged by developer.
(Thu, 31 Aug 2017 09:09:09 GMT) (full text, mbox, link).
Message #31 received at 752395-done@bugs.debian.org (full text, mbox, reply):
fixed in oldstable and stable
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 29 Sep 2017 07:30:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:32:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.