Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500518 (CVE-2014-1912) - <dev-lang/python-{2.7.7,3.2.5-r6,3.3.4} : "sock_recvfrom_into()" Buffer Overflow Vulnerability (CVE-2014-1912)
Summary: <dev-lang/python-{2.7.7,3.2.5-r6,3.3.4} : "sock_recvfrom_into()" Buffer Overf...
Alias: CVE-2014-1912
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
: 502404 503348 (view as bug list)
Depends on:
Reported: 2014-02-06 14:30 UTC by Agostino Sarubbo
Modified: 2015-03-18 22:35 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2014-1912-recvfrom_into.patch (CVE-2014-1912-recvfrom_into.patch,1.99 KB, patch)
2014-07-27 19:04 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-06 14:30:53 UTC
From ${URL} :


A vulnerability has been discovered in Python, which can be exploited by malicious people to potentially 
compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "sock_recvfrom_into()" function 
(Modules/socketmodule.c) and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 2.7 and reported in versions 3.1, 3.2, and 3.3.

Fixed in the source code repository.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Ryan Smith-Roberts within a bug ticket.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-02-25 14:27:33 UTC
*** Bug 502404 has been marked as a duplicate of this bug. ***
Comment 2 Samuel Damashek (RETIRED) gentoo-dev 2014-03-03 19:03:33 UTC
*** Bug 503348 has been marked as a duplicate of this bug. ***
Comment 3 Andrey Ovcharov 2014-07-27 19:04:35 UTC
Created attachment 381668 [details, diff]
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-07-27 19:07:46 UTC
CVE-2014-1912 (
  Buffer overflow in the socket.recvfrom_into function in
  Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and
  3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a
  crafted string.
Comment 5 Mike Gilbert gentoo-dev 2014-07-28 14:51:40 UTC
Please go ahead and stabilize dev-lang/python-2.7.7 and dev-lang/python-3.3.5.

Somebody should probably back-port the fix for python-3.2.
Comment 6 Mike Gilbert gentoo-dev 2014-07-28 14:55:32 UTC
I think this still leaves us vulnerable to bug 514686, so this will likely be followed by a revbump or version bump for that bug whenever someone can get to it.
Comment 7 Sergey Popov (RETIRED) gentoo-dev 2014-07-29 07:55:23 UTC
Arches, please test and mark stable


Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-30 10:23:32 UTC
(In reply to Sergey Popov from comment #7)
> Arches, please test and mark stable
> =dev-lang/python-2.7.7
> =dev-lang/python-3.2.5-r6
> =dev-lang/python-3.3.5-r1

You forgot:

> Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-31 07:44:42 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2014-07-31 12:46:28 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-02 13:44:22 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-02 13:47:59 UTC
x86 stable
Comment 13 Markus Meier gentoo-dev 2014-08-03 18:25:41 UTC
arm stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2014-08-04 18:52:19 UTC
ia64/sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-08 21:42:30 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:32 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-08-18 20:10:31 UTC
Cleanup done.
Comment 18 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-18 20:18:04 UTC
(In reply to Dirkjan Ochtman from comment #17)
> Cleanup done.

Thank you for cleanup. I'm changing title to < 3.3.4 as this is the version mentioned in CVE as fixed for this branch so it seems OK that this is still in the tree. 

New GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:35:56 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at
by GLSA coordinator Kristian Fiskerstrand (K_F).