Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 514686 (CVE-2014-4616)

Summary: <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: _json module is vulnerable to arbitrary process memory read (CVE-2014-4616)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python, sudormrfhalt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q2/613
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
CVE-2014-4616-json-bounds-check.patch none

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-23 14:04:13 UTC
From ${URL}:
Hello,

It was reported [1] that Python built-in _json module have a flaw
(insufficient bounds checking), which allows a local user to read
current process' arbitrary memory.
From initial bug report [1]:
...
The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.

...

References:
[1] Upstream bug report with additional technical details: http://bugs.python.org/issue21529
[2] Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
[3] RedHat bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1112285
Comment 2 Andrey Ovcharov 2014-07-27 19:05:23 UTC
Created attachment 381670 [details, diff]
CVE-2014-4616-json-bounds-check.patch
Comment 3 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-08-18 20:33:50 UTC
Cleanup done.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-18 20:35:36 UTC
Thanks. Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:36:19 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10
by GLSA coordinator Kristian Fiskerstrand (K_F).