Lucene search

K
seebugRootSSV:3800
HistoryAug 07, 2008 - 12:00 a.m.

Python存在多个缓冲区溢出漏洞

2008-08-0700:00:00
Root
www.seebug.org
22

0.011 Low

EPSS

Percentile

83.2%

BUGTRAQ ID: 30491
CVE ID:CVE-2008-2315
CVE-2008-2316
CVE-2008-3142
CVE-2008-3143
CVE-2008-3144
CNCVE ID:CNCVE-20082315
CNCVE-20082316
CNCVE-20083142
CNCVE-20083143
CNCVE-20083144

Python是一款开放源代码的脚本编程语言。
Python中存在多个整数溢出漏洞,远程攻击者可以利用漏洞对应用程序进行拒绝服务或者任意代码执行攻击。

  1. stringobject、unicodeobject、bufferobject、longobject、tupleobject、stropmodule、gcmodule、mmapmodule等核心模块中存在各种整数溢出。
  2. hashlib模块中的整数溢出可导致不可信的加密摘要结果。
  3. 在处理unicode字符串时unicode_resize()中的整数溢出可能在32位系统上出现缓冲区溢出错误。以下是有漏洞的代码段:

static
int unicode_resize(register PyUnicodeObject *unicode,
Py_ssize_t length)
{
[…]

oldstr = unicode->str;
PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1);

[…]
unicode->str[length] = 0;
unicode->length = length;

#define PyMem_RESIZE(p, type, n)
( assert((n) <= PY_SIZE_MAX / sizeof(type)) ,
( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )

  1. 在没有vsnprintf()函数的架构上,PyOS_vsnprintf()函数中存在整数溢出漏洞。以下是有漏洞的代码段:

int
PyOS_vsnprintf(char *str, size_t size, const char format, va_list va)
{
int len; /
# bytes written, excluding \0 */
[…]
assert(str != NULL);
assert(size > 0);
assert(format != NULL);

[…]
/* Emulate it. */
buffer = PyMem_MALLOC(size + 512);
if (buffer == NULL) {
len = -666;
goto Done;
}

    len = vsprintf(buffer, format, va);
    if (len &lt; 0)
            /* ignore the error */;

    else if ((size_t)len &gt;= size + 512)
            Py_FatalError(&quot;Buffer overflow in

PyOS_snprintf/PyOS_vsnprintf");

    else {
            const size_t to_copy = (size_t)len &lt; size ?
                                    (size_t)len : size - 1;
            assert(to_copy &lt; size);
            memcpy(str, buffer, to_copy);
            str[to_copy] = '\0';
    }
    PyMem_FREE(buffer);

Done:
[…]
str[size-1] = ‘\0’;
return len;
}

  1. 当0长度的字符串发送给PyOS_vsnprintf()函数,就可能触发整数溢出,导致内存破坏。以下是有漏洞的代码段:

int
PyOS_vsnprintf(char *str, size_t size, const char format, va_list va)
{
int len; /
# bytes written, excluding \0 */
#ifndef HAVE_SNPRINTF
char *buffer;
#endif
assert(str != NULL);
assert(size > 0);
assert(format != NULL);
[…]
len = vsnprintf(str, size, format, va);
[…]
str[size-1] = ‘\0’;
return len;
}

Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 7.10 sparc
Ubuntu Ubuntu Linux 7.10 powerpc
Ubuntu Ubuntu Linux 7.10 lpia
Ubuntu Ubuntu Linux 7.10 i386
Ubuntu Ubuntu Linux 7.10 amd64
Ubuntu Ubuntu Linux 7.04 sparc
Ubuntu Ubuntu Linux 7.04 powerpc
Ubuntu Ubuntu Linux 7.04 i386
Ubuntu Ubuntu Linux 7.04 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 12.1
Slackware Linux 12.0
Slackware Linux 11.0
Slackware Linux -current
Python Software Foundation Python 2.5.2
Python Software Foundation Python 2.5.1
Python Software Foundation Python 2.4.4
Python Software Foundation Python 2.4.3

  • Trustix Secure Linux 3.0.5
    Python Software Foundation Python 2.4.2
    Python Software Foundation Python 2.4.1
    Python Software Foundation Python 2.4
    Python Software Foundation Python 2.3.6
    Python Software Foundation Python 2.3.5
    Python Software Foundation Python 2.3.4
  • MandrakeSoft Linux Mandrake 10.1 x86_64
  • MandrakeSoft Linux Mandrake 10.1
  • S.u.S.E. Linux Personal 9.2 x86_64
  • S.u.S.E. Linux Personal 9.2
  • Ubuntu Ubuntu Linux 4.1 ppc
  • Ubuntu Ubuntu Linux 4.1 ia64
  • Ubuntu Ubuntu Linux 4.1 ia32
    Python Software Foundation Python 2.3.3
  • MandrakeSoft Corporate Server 3.0 x86_64
  • MandrakeSoft Corporate Server 3.0
  • MandrakeSoft Linux Mandrake 10.0 AMD64
  • MandrakeSoft Linux Mandrake 10.0
  • MandrakeSoft Linux Mandrake 9.2 amd64
  • MandrakeSoft Linux Mandrake 9.2
  • S.u.S.E. Linux Personal 9.0 x86_64
  • S.u.S.E. Linux Personal 9.0
    Python Software Foundation Python 2.3.2
    Python Software Foundation Python 2.3.1
    Python Software Foundation Python 2.3 b1
    Python Software Foundation Python 2.3
  • S.u.S.E. Linux Personal 9.0 x86_64
  • S.u.S.E. Linux Personal 9.0
    Python Software Foundation Python 2.2.3
  • RedHat Desktop 3.0
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux WS 3
  • Ubuntu Ubuntu Linux 4.1 ppc
  • Ubuntu Ubuntu Linux 4.1 ia64
  • Ubuntu Ubuntu Linux 4.1 ia32
    Python Software Foundation Python 2.2.2
  • OpenPKG OpenPKG 1.2
  • RedHat Linux 7.3
  • S.u.S.E. Linux Personal 8.2
    Python Software Foundation Python 2.2.1
  • Debian Linux 3.0 sparc
  • Debian Linux 3.0 s/390
  • Debian Linux 3.0 ppc
  • Debian Linux 3.0 mipsel
  • Debian Linux 3.0 mips
  • Debian Linux 3.0 m68k
  • Debian Linux 3.0 ia-64
  • Debian Linux 3.0 ia-32
  • Debian Linux 3.0 hppa
  • Debian Linux 3.0 arm
  • Debian Linux 3.0 alpha
  • Debian Linux 3.0
  • Gentoo Linux 1.4 _rc1
  • Gentoo Linux 1.2
  • MandrakeSoft Corporate Server 2.1 x86_64
  • MandrakeSoft Corporate Server 2.1
  • MandrakeSoft Linux Mandrake 9.0
  • OpenPKG OpenPKG 1.1
  • S.u.S.E. Linux 8.1
    Python Software Foundation Python 2.2
  • Conectiva Linux 8.0
  • MandrakeSoft Linux Mandrake 8.2 ppc
  • MandrakeSoft Linux Mandrake 8.2
  • MandrakeSoft Linux Mandrake 8.1 ia64
  • MandrakeSoft Linux Mandrake 8.1
    Python Software Foundation Python 2.1.3
  • Debian Linux 3.0
    Python Software Foundation Python 2.1.2
    Python Software Foundation Python 2.1.1
  • RedHat Linux 7.2
  • Sun Linux 5.0.7
    Python Software Foundation Python 2.1
  • Conectiva Linux 7.0
  • Debian Linux 3.1 sparc
  • Debian Linux 3.1 s/390
  • Debian Linux 3.1 ppc
  • Debian Linux 3.1 mipsel
  • Debian Linux 3.1 mips
  • Debian Linux 3.1 m68k
  • Debian Linux 3.1 ia-64
  • Debian Linux 3.1 ia-32
  • Debian Linux 3.1 hppa
  • Debian Linux 3.1 arm
  • Debian Linux 3.1 amd64
  • Debian Linux 3.1 alpha
  • Debian Linux 3.1
  • Debian Linux 3.0 sparc
  • Debian Linux 3.0 s/390
  • Debian Linux 3.0 ppc
  • Debian Linux 3.0 mipsel
  • Debian Linux 3.0 mips
  • Debian Linux 3.0 m68k
  • Debian Linux 3.0 ia-64
  • Debian Linux 3.0 ia-32
  • Debian Linux 3.0 hppa
  • Debian Linux 3.0 arm
  • Debian Linux 3.0 alpha
  • Debian Linux 3.0
    Python Software Foundation Python 2.0.1
    Python Software Foundation Python 2.0
  • MandrakeSoft Linux Mandrake 8.0 ppc
  • MandrakeSoft Linux Mandrake 8.0
    Python Software Foundation Python 2.5
    Gentoo Linux
    Gentoo

Gentoo可参考如下安全公告获得相应补丁:
<a href=“http://security.gentoo.org/glsa/glsa-200807-16.xml” target=“_blank”>http://security.gentoo.org/glsa/glsa-200807-16.xml</a>
Python 2.4用户应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14"
Python 2.5用户应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6"
Python已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://svn.python.org/view?rev=65335&amp;view=rev” target=“_blank”>http://svn.python.org/view?rev=65335&amp;view=rev</a>