Lucene search

K
amazonAmazonALAS-2018-943
HistoryJan 17, 2018 - 11:18 p.m.

Medium: python35, python34

2018-01-1723:18:00
alas.aws.amazon.com
20
cpython
integer overflow
pystring_decodeescape
buffer overflow
code execution
cve-2017-1000158
red hat
mitre
update
python35
python34
system
packages
i686
x86_64
src
unix

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.014

Percentile

86.6%

Issue Overview:

CPython (aka Python) is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution) (CVE-2017-1000158)

Affected Packages:

python35, python34

Issue Correction:
Run yum update python35 to update your system.
Run yum update python34 to update your system.

New Packages:

i686:  
    python35-test-3.5.4-13.10.amzn1.i686  
    python35-3.5.4-13.10.amzn1.i686  
    python35-libs-3.5.4-13.10.amzn1.i686  
    python35-tools-3.5.4-13.10.amzn1.i686  
    python35-debuginfo-3.5.4-13.10.amzn1.i686  
    python35-devel-3.5.4-13.10.amzn1.i686  
    python34-debuginfo-3.4.7-1.37.amzn1.i686  
    python34-devel-3.4.7-1.37.amzn1.i686  
    python34-tools-3.4.7-1.37.amzn1.i686  
    python34-3.4.7-1.37.amzn1.i686  
    python34-test-3.4.7-1.37.amzn1.i686  
    python34-libs-3.4.7-1.37.amzn1.i686  
  
src:  
    python35-3.5.4-13.10.amzn1.src  
    python34-3.4.7-1.37.amzn1.src  
  
x86_64:  
    python35-libs-3.5.4-13.10.amzn1.x86_64  
    python35-test-3.5.4-13.10.amzn1.x86_64  
    python35-tools-3.5.4-13.10.amzn1.x86_64  
    python35-debuginfo-3.5.4-13.10.amzn1.x86_64  
    python35-devel-3.5.4-13.10.amzn1.x86_64  
    python35-3.5.4-13.10.amzn1.x86_64  
    python34-tools-3.4.7-1.37.amzn1.x86_64  
    python34-debuginfo-3.4.7-1.37.amzn1.x86_64  
    python34-3.4.7-1.37.amzn1.x86_64  
    python34-libs-3.4.7-1.37.amzn1.x86_64  
    python34-devel-3.4.7-1.37.amzn1.x86_64  
    python34-test-3.4.7-1.37.amzn1.x86_64  

Additional References

Red Hat: CVE-2017-1000158

Mitre: CVE-2017-1000158

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.014

Percentile

86.6%