heap overflow in zipimporter module

[InsuYun]

BPO	26171
Nosy	@birkenfeld, @ned-deily, @mcepl, @berkerpeksag
Files	crash.py patch-Modules_zipimport-CVE-2016-5636.c: Modules/zipimport.c patch for CVE-2016-5636

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-09-14.05:41:18.101>
created_at = <Date 2016-01-21.03:52:32.962>
labels = ['type-security']
title = 'heap overflow in zipimporter module'
updated_at = <Date 2018-08-04.20:33:19.380>
user = 'https://bugs.python.org/InsuYun'

bugs.python.org fields:

activity = <Date 2018-08-04.20:33:19.380>
actor = 'mcepl'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-14.05:41:18.101>
closer = 'berker.peksag'
components = []
creation = <Date 2016-01-21.03:52:32.962>
creator = 'Insu Yun'
dependencies = []
files = ['41677', '43427']
hgrepos = []
issue_num = 26171
keywords = []
message_count = 11.0
messages = ['258733', '258736', '258779', '268693', '268698', '268700', '269194', '276380', '276381', '278228', '278324']
nosy_count = 8.0
nosy_names = ['georg.brandl', 'ned.deily', 'mcepl', 'python-dev', 'berker.peksag', 'Insu Yun', 'vladk', 'Parvesh jain']
pr_nums = []
priority = None
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue26171'
versions = ['Python 2.7', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']

[InsuYun]

in zipimport.c
1116 bytes_size = compress == 0 ? data_size : data_size + 1;
1117 if (bytes_size == 0)
1118 bytes_size++;
1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);

If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.

[python-dev]

New changeset 01ddd608b85c by Benjamin Peterson in branch '3.4':
prevent buffer overflow in get_data (closes bpo-26171)
https://hg.python.org/cpython/rev/01ddd608b85c

New changeset 985fc64c60d6 by Benjamin Peterson in branch '2.7':
prevent buffer overflow in get_data (closes bpo-26171)
https://hg.python.org/cpython/rev/985fc64c60d6

New changeset 10dad6da1b28 by Benjamin Peterson in branch '3.5':
merge 3.4 (bpo-26171)
https://hg.python.org/cpython/rev/10dad6da1b28

New changeset 2df462852464 by Benjamin Peterson in branch 'default':
merge 3.5 (bpo-26171)
https://hg.python.org/cpython/rev/2df462852464

[InsuYun]

in zipimport.c
1116 bytes_size = compress == 0 ? data_size : data_size + 1;
1117 if (bytes_size == 0)
1118 bytes_size++;
1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);

If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.

[vladk]

I believe this should be applied to Python 3.3 as well, since the same problem (unchecked data_size before adding +1 for bytes_size) exists there too, and is thus a security issue.

[ned-deily]

reopening for 3.3.7 evaluation. Georg?

[vladk]

Here's the patch that I made for FreeBSD's Python 3.3 port. With this patch, on FreeBSD, Python 3.3 built fine and passed the zipimport related unit tests. It's basically the same code from 3.4, 3.5 and 2.7, just placed at appropriate place in the source.

[vladk]

Any updates on this? We've committed the patch for Python 3.3 as well in FreeBSD.

https://svnweb.freebsd.org/ports?view=revision&revision=417019

[python-dev]

New changeset 5ae8756a1ae0 by Berker Peksag in branch '3.3':
Issue bpo-26171: Prevent buffer overflow in get_data
https://hg.python.org/cpython/rev/5ae8756a1ae0

New changeset fa006d671f41 by Berker Peksag in branch '3.4':
Issue bpo-26171: Null merge
https://hg.python.org/cpython/rev/fa006d671f41

New changeset 2fb148cd95a2 by Berker Peksag in branch '3.5':
Issue bpo-26171: Null merge
https://hg.python.org/cpython/rev/2fb148cd95a2

New changeset aa0c49b8edae by Berker Peksag in branch '3.6':
Issue bpo-26171: Null merge
https://hg.python.org/cpython/rev/aa0c49b8edae

New changeset f3df6b16af7d by Berker Peksag in branch 'default':
Issue bpo-26171: Null merge
https://hg.python.org/cpython/rev/f3df6b16af7d

[berkerpeksag]

Thanks!

[Parveshjain]

I think patches put up in http://bugs.python.org/msg258736 is at least not sufficient enough for Python 2.7.
POC script(crash.py) provided with the issue calls get_data with data_size = -1.
I am using Python 2.7.8 . I patched the same with the solution provided in https://hg.python.org/cpython/rev/985fc64c60d6 . I was still able to reproduce the issue and it failed with

Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
IOError: zipimport: can't read data
Segmentation fault (core dumped)

but I couldn't reproduce the same with latest 2.7.12:-

jchang@qasus-ubun12x64-001:~/Downloads/Python-2.7.12$ python2.7 -V
Python 2.7.12
jchang@qasus-ubun12x64-001:~/Downloads/Python-2.7.12$ python2.7 crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
zipimport.ZipImportError: negative data size

As we can see issue does happen in 2.7.12 because of following extra check :-

if (data_size < 0) {
        PyErr_Format(ZipImportError, "negative data size");
        return NULL;
    }

which was merged in https://hg.python.org/cpython/rev/2edbdb79cd6d.

I was thinking of backporting the same to Python 2.7.8 as well to completely address this issue. Could you guys confirm if my understanding is correct on this ? Thanks