From ${URL}: Hello, It was reported [1] that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process' arbitrary memory. From initial bug report [1]: ... The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index. The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory. ... References: [1] Upstream bug report with additional technical details: http://bugs.python.org/issue21529 [2] Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395 [3] RedHat bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1112285
Upstream commits (taken from upstream tracker): 2.7: http://hg.python.org/cpython/rev/50c07ed1743d 3.1: http://hg.python.org/cpython/rev/a8facac493ef 3.2: http://hg.python.org/lookup/b9913eb96643 3.3: http://hg.python.org/lookup/4f15bd1ab28f 3.4: http://hg.python.org/lookup/7b95540ced5c 3.5: http://hg.python.org/lookup/3a414c709f1f
Created attachment 381670 [details, diff] CVE-2014-4616-json-bounds-check.patch
Cleanup done.
Thanks. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10 by GLSA coordinator Kristian Fiskerstrand (K_F).
