Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 500518 (CVE-2014-1912)

Summary: <dev-lang/python-{2.7.7,3.2.5-r6,3.3.4} : "sock_recvfrom_into()" Buffer Overflow Vulnerability (CVE-2014-1912)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: daniel+gentoo, djc, nikoli, python, sudormrfhalt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/56624/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=516550
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
CVE-2014-1912-recvfrom_into.patch none

Description Agostino Sarubbo gentoo-dev 2014-02-06 14:30:53 UTC
From ${URL} :

Description

A vulnerability has been discovered in Python, which can be exploited by malicious people to potentially 
compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "sock_recvfrom_into()" function 
(Modules/socketmodule.c) and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 2.7 and reported in versions 3.1, 3.2, and 3.3.


Solution:
Fixed in the source code repository.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Ryan Smith-Roberts within a bug ticket.

Original Advisory:
http://bugs.python.org/issue20246


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-02-25 14:27:33 UTC
*** Bug 502404 has been marked as a duplicate of this bug. ***
Comment 2 Samuel Damashek (RETIRED) gentoo-dev 2014-03-03 19:03:33 UTC
*** Bug 503348 has been marked as a duplicate of this bug. ***
Comment 3 Andrey Ovcharov 2014-07-27 19:04:35 UTC
Created attachment 381668 [details, diff]
CVE-2014-1912-recvfrom_into.patch
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-07-27 19:07:46 UTC
CVE-2014-1912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912):
  Buffer overflow in the socket.recvfrom_into function in
  Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and
  3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a
  crafted string.
Comment 5 Mike Gilbert gentoo-dev 2014-07-28 14:51:40 UTC
Please go ahead and stabilize dev-lang/python-2.7.7 and dev-lang/python-3.3.5.

Somebody should probably back-port the fix for python-3.2.

http://hg.python.org/cpython/rev/9c56217e5c79/
Comment 6 Mike Gilbert gentoo-dev 2014-07-28 14:55:32 UTC
I think this still leaves us vulnerable to bug 514686, so this will likely be followed by a revbump or version bump for that bug whenever someone can get to it.
Comment 7 Sergey Popov gentoo-dev 2014-07-29 07:55:23 UTC
Arches, please test and mark stable

=dev-lang/python-2.7.7
=dev-lang/python-3.2.5-r6
=dev-lang/python-3.3.5-r1

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 8 Jeroen Roovers gentoo-dev 2014-07-30 10:23:32 UTC
(In reply to Sergey Popov from comment #7)
> Arches, please test and mark stable
> 
> =dev-lang/python-2.7.7
> =dev-lang/python-3.2.5-r6
> =dev-lang/python-3.3.5-r1

You forgot:
=dev-tcltk/tix-8.4.3-r1

> Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 9 Jeroen Roovers gentoo-dev 2014-07-31 07:44:42 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann gentoo-dev 2014-07-31 12:46:28 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-02 13:44:22 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-02 13:47:59 UTC
x86 stable
Comment 13 Markus Meier gentoo-dev 2014-08-03 18:25:41 UTC
arm stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2014-08-04 18:52:19 UTC
ia64/sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-08 21:42:30 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:32 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Dirkjan Ochtman gentoo-dev 2014-08-18 20:10:31 UTC
Cleanup done.
Comment 18 Kristian Fiskerstrand gentoo-dev Security 2014-08-18 20:18:04 UTC
(In reply to Dirkjan Ochtman from comment #17)
> Cleanup done.

Thank you for cleanup. I'm changing title to < 3.3.4 as this is the version mentioned in CVE as fixed for this branch so it seems OK that this is still in the tree. 

New GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:35:56 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10
by GLSA coordinator Kristian Fiskerstrand (K_F).