Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647862 (CVE-2018-1000030) - <dev-lang/python-2.7.15: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c (CVE-2018-1000030)
Summary: <dev-lang/python-2.7.15: Heap-Buffer-Overflow and Heap-Use-After-Free in Obje...
Status: RESOLVED FIXED
Alias: CVE-2018-1000030
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2018-09-22
Assignee: Gentoo Security
URL: https://bugs.python.org/issue31530
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-16 15:20 UTC by Demetris Nakos (sokan)
Modified: 2018-12-01 00:46 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/python-2.7.15
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Demetris Nakos (sokan) 2018-02-16 15:20:50 UTC
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE. 

Are we affected by this vulnerability?

-Gentoo Security Padawan-
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-06 20:44:18 UTC
@Maintainers we seem to be affected by this CVE, please confirm if that's the case.

Thank you
Comment 2 tonemgub 2018-03-13 20:11:17 UTC
This seems to still be vulnerable, reference SUSE ticket cherry pick patch comments:

> This issue is fixed by upstream patch 6401e5671781eb217ee1afb4603cc0d1b0367ae6. > Since that solution had unintended side-effects, another commit was added on top of it in dbf52e02f18dac6f5f0a64f78932f3dc6efc056b.
https://bugzilla.novell.com/show_bug.cgi?id=1079300#c2

Commits:

https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6
https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-09-11 12:32:21 UTC
@ maintainer(s): can we start stabilization of =dev-lang/python-2.7.15?
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-09-11 14:17:19 UTC
Sure.  Arch teams, please proceed.
Comment 5 Mart Raudsepp gentoo-dev 2018-09-11 17:31:28 UTC
arm64 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-09-12 13:24:10 UTC
amd64 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-09-12 20:48:55 UTC
x86 stable
Comment 8 Tobias Klausmann gentoo-dev 2018-09-13 14:34:15 UTC
Stable on alpha.
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-09-15 12:38:16 UTC
arm stable
Comment 10 Sergei Trofimovich gentoo-dev 2018-09-15 21:50:41 UTC
hppa stable
Comment 11 Sergei Trofimovich gentoo-dev 2018-09-15 21:53:19 UTC
ppc stable
Comment 12 Sergei Trofimovich gentoo-dev 2018-09-15 21:54:42 UTC
ppc64 stable
Comment 13 Rolf Eike Beer 2018-09-16 07:32:56 UTC
sparc done.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-09-16 07:50:01 UTC
s390/sh/m68k stable
Comment 15 Sergei Trofimovich gentoo-dev 2018-10-15 07:08:01 UTC
ia64 stable
Comment 16 Michael Boyle 2018-10-16 02:39:29 UTC
GLSA filed

Michael Boyle
Gentoo Security Padawan
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2018-11-09 00:36:17 UTC
This issue was resolved and addressed in
 GLSA 201811-02 at https://security.gentoo.org/glsa/201811-02
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 18 Thomas Deutschmann gentoo-dev Security 2018-11-09 00:37:44 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-lang/python-2.7.15!
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 03:44:02 UTC
cleanup on aisle #6...