Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 514686 (CVE-2014-4616) - <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: _json module is vulnerable to arbitrary process memory read (CVE-2014-4616)
Summary: <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: _json module is vulnerable to arb...
Alias: CVE-2014-4616
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2014-06-23 14:04 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-03-18 22:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2014-4616-json-bounds-check.patch (CVE-2014-4616-json-bounds-check.patch,2.31 KB, patch)
2014-07-27 19:05 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-23 14:04:13 UTC
From ${URL}:

It was reported [1] that Python built-in _json module have a flaw
(insufficient bounds checking), which allows a local user to read
current process' arbitrary memory.
From initial bug report [1]:
The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.


[1] Upstream bug report with additional technical details:
[2] Debian bug tracker:
[3] RedHat bug tracker:
Comment 2 Andrey Ovcharov 2014-07-27 19:05:23 UTC
Created attachment 381670 [details, diff]
Comment 3 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-08-18 20:33:50 UTC
Cleanup done.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-18 20:35:36 UTC
Thanks. Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:36:19 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at
by GLSA coordinator Kristian Fiskerstrand (K_F).