-
-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2007-4965] Integer overflow in imageop module #45520
Comments
As reported at |
It's unclear if this only causes a crash or if it can inject data. |
Cartman, please refrain from using vulgarities in your sample code. It's |
Guido: That code came from the full-disclosure list posting, I think |
So I think this is all the places integer overflow checking is needed Feel free to comment. Ps. This is against the 2.5 in Fedora-7, but it should apply to upstream. |
Guido, The poc is taken as is, sorry. |
And now the obvious typo fix, *sigh*. |
nevyn: Your patch cleanly applies to python 2.4.4 and fixes the Thanks. |
Hm. First of all, it seems the imageop module has completely missed the Second, I don't think that "if ( x != len / y )" is a valid replacement |
Guido: It's true that that len can be slightly bigger than x*y, the big However we could have both cases covered by doing: if ( (len != x*y) || (x != (len / y)) ) ...but esp. at that point it seems like we'd want some interface so that if ( check_mutliplies2(len, x, y) ) |
Neal, didn't you say you had a fix for this? |
Not sure who Neal is, and this probably isn't a final upstream fix ... if x * y != len ...the first patch did: if len / x != y ...and this patch does: if x * y != len || |
Is this final yet? Our system security group is a little paranoid about |
Sigh. I'll try to make time to review & apply this. |
I've applied the last patch I posted to recent RHEL and Fedora |
Same here for Pardus Linux, applied the patch without a regression. |
Sorry this missed the 2.5.2 release. I'll try to look again before |
The following test cases still cause bus errors with the patch applied: import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768) |
I think this was a module that I skipped. I think Anthony might have |
Uploading patch that addresses the test cases above. It applies on top of |
This is not a release blocker for 2.6 or 3.0. |
This _must_ be a release blocker for Python 3.0, Its a shame that this |
imageop is deleted in 3.0. See PEP-3108. So it can't be a release |
I am sorry for the drama then, :) |
Does anybody still care about this for 2.6? |
The two segfaults reported in msg64682 are still there in 2.6. |
Looking into this now. |
Latest patches applied to 2.5 branch: r65878. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: