Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 514686 (CVE-2014-4616) - <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: _json module is vulnerable to arbitrary process memory read (CVE-2014-4616)
Summary: <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: _json module is vulnerable to arb...
Status: RESOLVED FIXED
Alias: CVE-2014-4616
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q2/613
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-23 14:04 UTC by Kristian Fiskerstrand
Modified: 2015-03-18 22:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2014-4616-json-bounds-check.patch (CVE-2014-4616-json-bounds-check.patch,2.31 KB, patch)
2014-07-27 19:05 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-06-23 14:04:13 UTC
From ${URL}:
Hello,

It was reported [1] that Python built-in _json module have a flaw
(insufficient bounds checking), which allows a local user to read
current process' arbitrary memory.
From initial bug report [1]:
...
The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.

...

References:
[1] Upstream bug report with additional technical details: http://bugs.python.org/issue21529
[2] Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
[3] RedHat bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1112285
Comment 2 Andrey Ovcharov 2014-07-27 19:05:23 UTC
Created attachment 381670 [details, diff]
CVE-2014-4616-json-bounds-check.patch
Comment 3 Dirkjan Ochtman gentoo-dev 2014-08-18 20:33:50 UTC
Cleanup done.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2014-08-18 20:35:36 UTC
Thanks. Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:36:19 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10
by GLSA coordinator Kristian Fiskerstrand (K_F).