Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585910 (CVE-2016-5636) - <dev-lang/python-{2.7.12,3.4.5}: Heap overflow in zipimporter module (CVE-2016-5636)
Summary: <dev-lang/python-{2.7.12,3.4.5}: Heap overflow in zipimporter module (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2016-5636
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2016-0772
Blocks:
  Show dependency tree
 
Reported: 2016-06-14 10:26 UTC by Agostino Sarubbo
Modified: 2017-01-10 14:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-14 10:26:03 UTC
From ${URL} :

A heap-based buffer overflow vulnerability was found in zipimporter module.

Vulnerable code:

  1116     bytes_size = compress == 0 ? data_size : data_size + 1;
  1117     if (bytes_size == 0)
  1118         bytes_size++;
  1119     raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);

data_size is not sanitized, so if comepress != 0 and data_size = -1, then it overflows and becomes 
0. Right after then it's incremented and becomes 1. In that case, python allocates small portion 
of heap, which is later overflowed using fread.

Upstream bug:

https://bugs.python.org/issue26171

Upstream patches:

https://hg.python.org/cpython/rev/01ddd608b85c (3.4)
https://hg.python.org/cpython/rev/985fc64c60d6 (2.7)
https://hg.python.org/cpython/rev/10dad6da1b28 (3.5)
https://hg.python.org/cpython/rev/2df462852464 (default)


CVE request:

http://seclists.org/oss-sec/2016/q2/524


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2016-06-14 16:14:35 UTC
We should probably backport these onto the currently stable ebuilds with a revbump.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-29 23:08:58 UTC
Fix is in v2.7.12:

$ hg log -r "985fc64c60d6:: and tag()"
changeset:   101898:13912cd1e7e8
branch:      2.7
tag:         v2.7.12rc1
user:        Benjamin Peterson <benjamin@python.org>
date:        Sat Jun 11 14:46:26 2016 -0700
summary:     2.7.12 release candidate 1

changeset:   102173:d33e0cf91556
branch:      2.7
tag:         v2.7.12
parent:      102122:45d4cea97b04
user:        Benjamin Peterson <benjamin@python.org>
date:        Sat Jun 25 14:03:21 2016 -0700
summary:     2.7.12 final


Fix for 3.4 branch was: https://hg.python.org/cpython/rev/5ae8756a1ae0 which is not yet released, see

$ hg log -r "5ae8756a1ae0:: and tag()"
changeset:   104442:b9fadc7d1c3f
branch:      3.6
tag:         v3.6.0b2
user:        Ned Deily <nad@python.org>
date:        Mon Oct 10 16:09:08 2016 -0400
summary:     Version bump for 3.6.0b2

changeset:   104860:8345e066c0ed
branch:      3.6
tag:         v3.6.0b3
user:        Ned Deily <nad@python.org>
date:        Mon Oct 31 20:43:30 2016 -0400
summary:     Version bump for 3.6.0b3

changeset:   105327:18496abdb3d5
branch:      3.6
tag:         v3.6.0b4
user:        Ned Deily <nad@python.org>
date:        Mon Nov 21 23:30:55 2016 -0500
summary:     Version bump for 3.6.0b4
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-29 23:11:30 UTC
Wait, 3.4er changeset fixing the problem was 01ddd608b85c which was

changeset:   102200:619b61e505d0
branch:      3.4
tag:         v3.4.5
user:        Larry Hastings <larry@hastings.org>
date:        Sat Jun 25 14:44:30 2016 -0700
summary:     Version bump for 3.4.5 final.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-03 06:28:05 UTC
CVE-2016-5636 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5636):
  Integer overflow in the get_data function in zipimport.c in CPython (aka
  Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows
  remote attackers to have unspecified impact via a negative data size value,
  which triggers a heap-based buffer overflow.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-10 14:01:06 UTC
This issue was resolved and addressed in
 GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18
by GLSA coordinator Thomas Deutschmann (whissi).