Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647862 (CVE-2018-1000030) - <dev-lang/python-2.7.15: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c (CVE-2018-1000030)
Summary: <dev-lang/python-2.7.15: Heap-Buffer-Overflow and Heap-Use-After-Free in Obje...
Status: RESOLVED FIXED
Alias: CVE-2018-1000030
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2018-09-22
Assignee: Gentoo Security
URL: https://bugs.python.org/issue31530
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-16 15:20 UTC by Dimitris Nakos (sokan)
Modified: 2018-12-01 00:46 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/python-2.7.15
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dimitris Nakos (sokan) 2018-02-16 15:20:50 UTC 
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE. 

Are we affected by this vulnerability?

-Gentoo Security Padawan-
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-06 20:44:18 UTC 
@Maintainers we seem to be affected by this CVE, please confirm if that's the case.

Thank you
Comment 2 tonemgub 2018-03-13 20:11:17 UTC 
This seems to still be vulnerable, reference SUSE ticket cherry pick patch comments:

> This issue is fixed by upstream patch 6401e5671781eb217ee1afb4603cc0d1b0367ae6. > Since that solution had unintended side-effects, another commit was added on top of it in dbf52e02f18dac6f5f0a64f78932f3dc6efc056b.
https://bugzilla.novell.com/show_bug.cgi?id=1079300#c2

Commits:

https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6
https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-11 12:32:21 UTC 
@ maintainer(s): can we start stabilization of =dev-lang/python-2.7.15?
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-09-11 14:17:19 UTC 
Sure.  Arch teams, please proceed.
Comment 5 Mart Raudsepp gentoo-dev 2018-09-11 17:31:28 UTC 
arm64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-12 13:24:10 UTC 
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-12 20:48:55 UTC 
x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-09-13 14:34:15 UTC 
Stable on alpha.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-15 12:38:16 UTC 
arm stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-15 21:50:41 UTC 
hppa stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-15 21:53:19 UTC 
ppc stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-15 21:54:42 UTC 
ppc64 stable
Comment 13 Rolf Eike Beer archtester 2018-09-16 07:32:56 UTC 
sparc done.
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-16 07:50:01 UTC 
s390/sh/m68k stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-15 07:08:01 UTC 
ia64 stable
Comment 16 Michael Boyle 2018-10-16 02:39:29 UTC 
GLSA filed

Michael Boyle
Gentoo Security Padawan
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2018-11-09 00:36:17 UTC 
This issue was resolved and addressed in
 GLSA 201811-02 at https://security.gentoo.org/glsa/201811-02
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-09 00:37:44 UTC 
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-lang/python-2.7.15!
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 03:44:02 UTC 
cleanup on aisle #6...