Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 192876 - dev-lang/python imageop multiple integer-overflows (CVE-2007-4965)
Summary: dev-lang/python imageop multiple integer-overflows (CVE-2007-4965)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/bid/25696/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-17 23:46 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-10 08:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 23:46:16 UTC
According to SecurityFocus:
  Python's imageop module is prone to multiple integer-overflow
  vulnerabilities. These issues are due to a failure of the module to
  properly bounds-check user-supplied input to ensure that integer
  operations do not overflow.
  Successfully exploiting these issues require the ability to control
  the arguments to imageop functions. The ability for remote attackers
  to do this depends on the nature of applications that utilize the
  vulnerable functions.
  Attackers would likely submit invalid or specially-crafted images
  to applications that perform imageop operations on the data.
  Successfully exploiting these issues may allow attacker-supplied
  machine code to execute in the context of affected applications,
  facilitating the remote compromise of computers.

The issue was discovered by Slythers Bro.
I could reproduce a crash on x86. This is not an issue on amd64, as imageop is not installed there.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 00:00:34 UTC
Setting whiteboard and pulling in maintainers for advice.
As far as I can see, all pythons in the tree are vulnerable for this, at least on 32bit installs.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 00:20:53 UTC
CVE assigned CVE-2007-4965 to this issue. The description there only confirms an attacker could "possibly obtain sensitive information" and "unspecified other vectors", but no explicit code execution.

python, did you hear anything about this in upstream channels yet?
Comment 3 Ali Polatel (RETIRED) gentoo-dev 2007-10-05 13:16:59 UTC
Upstream has a bug about this[1] and the last patch attached fixes the issue
but the patch is not perfect, see guido's comment[2].

[1]: http://bugs.python.org/issue1179
[2]: http://bugs.python.org/msg56052
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-17 18:33:53 UTC
Hawking is this one ready for ebuild?
Comment 5 Ali Polatel (RETIRED) gentoo-dev 2007-10-24 21:48:45 UTC
As Robert mentioned, all python versions in the tree are affected by this.
I've committed three revbumps today, fixing the bug for all python versions
that we support.
python-2.3.6-r3, python-2.4.4-r6 and python-2.5.1-r3 are fixed versions.
To check whether the bug is fixed, the file poc.py attached to the bug I've
mentioned in my previous comment can be used. The expected output is:
"""
4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545
Traceback (most recent call last):
  File "poc.py", line 12, in ?
      dtc = imageop.tovideo(sexshit,1,4461,-2147002257)
      imageop.error: String has incorrect length
"""

P.S: the variable names in the mentioned file are kinda weird.. well.. :-)
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-25 07:30:44 UTC
Thx Hawking

Arhces please test and mark stable. Target keywords are:

python-2.3.6-r3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
python-2.4.4-r6.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-25 10:00:44 UTC
x86 stable
Comment 8 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2007-10-25 12:12:56 UTC
On amd64 Everything is working.Python works flawlessly still(emerge, and various other things)

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+
Timestamp of tree: Thu, 25 Oct 2007 01:47:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/distfiles"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/overlay"
SYNC="rsync://kv80/gentoo-portage"
USE="X acl acpi aim alsa amd64 arts berkdb bitmap-fonts branding cairo cli cracklib crypt cups dbus dri dvd dvdread emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv imap ipv6 isdnlog jpeg kde kerberos mad midi mikmod mmx mp3 mpeg mqsli mudflap mysql ncurses nls nptl nptlonly nvidia ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support quicktime readline reflection sdl session sockets spell spl sqlite3 sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vim vorbis xcomposite xine xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-10-25 14:09:37 UTC
ppc64 stable
Comment 10 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-10-25 17:17:49 UTC
amd64 done.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-10-25 17:35:27 UTC
this bug is not done
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-10-25 19:08:04 UTC
alpha/ia64/sparc stable
Comment 13 Jeroen Roovers gentoo-dev 2007-10-26 00:49:23 UTC
Stable for HPPA.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-27 11:19:58 UTC
ppc stable, ready for glsa
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-10-27 13:38:50 UTC
(In reply to comment #14)
> ready for glsa

Thanks, filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-07 19:53:55 UTC
GLSA 200711-07