[issue20246] buffer overflow in socket.recvfrom_into
koobs added the comment: Can somebody backport the fixes for the test breakages to 3.1 and 3.2 please, it seems they were forgotten. The original CVE fix includes changes to test_socket.py so I cant imagine security-only-fix policy applies. Thanks! -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Roundup Robot added the comment: New changeset c25e1442529f by Stefan Krah in branch '3.1': Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. http://hg.python.org/cpython/rev/c25e1442529f New changeset e82dcd700e8c by Stefan Krah in branch '3.2': Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. http://hg.python.org/cpython/rev/e82dcd700e8c -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
koobs added the comment: Thank you Stefan -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Peter Funk added the comment: A recently posted proof of concept exploit got a lot of attention: https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ I suggest some Python core developer should clarify here whether people running some publically available python based web service (Zope, Plone, Roundup, MoinMoin, or whatever) are vulnerable or not. -- nosy: +pefu ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Antoine Pitrou added the comment: recvfrom_into() is hardly ever used, including in the stdlib itself. People using third-party software should check that the software itself doesn't call this method (chances are it doesn't). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Christian Heimes added the comment: This issue has already been assigned CVE-2014-1912 Reference: http://www.openwall.com/lists/oss-security/2014/02/12/16 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1912 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Changes by Chris Rebert pyb...@rebertia.com: -- nosy: +cvrebert ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Changes by koobs koobs.free...@gmail.com: -- nosy: +koobs ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
R. David Murray added the comment: We don't currently have the capability to set an email trigger when the type is set to security. That should be submitted as a request on the meta tracker. (It will require a new reactor, which is easy, and a tweak to the database schema, which I don't offhand remember how to deploy, but it shouldn't be hard.) -- nosy: +ezio.melotti ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Chris Rose added the comment: Is there an ETA for a 2.7.7 release with this fix? -- nosy: +offby1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Ryan Smith-Roberts added the comment: I notified secur...@python.org and waited for the go-ahead (from Guido I think) before opening this bug. If today is the first that the PSRT is hearing about this, then the issue is broader than just the bugtracker. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Antoine Pitrou added the comment: Yes, your message reached PSRT on Jan 12th. -- nosy: +pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Christian Heimes added the comment: Sorry, you are right and I was wrong. :( Your mail *was* delivered to PSRT. But it failed to reach me because I was having issues with my @python.org account. The server-side spam filter is now deactivated and I receive all mails again. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Changes by Giampaolo Rodola' g.rod...@gmail.com: -- nosy: +giampaolo.rodola ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Christian Heimes added the comment: I just came across https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Now I wonder why this bug was neither reported to PSRT nor get a CVE number. It's a buffer overflow... I'm going to contact MITRE right away. -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Nick Coghlan added the comment: Branch status: Vulnerable (last release prior to patch): 2.7.6 3.1.5 3.2.5 Fixed (latest release post patch): 3.3.4+ 3.4 So my reading is that 2.7.7 needs to be brought forward, and source only releases of 3.1.6 and 3.2.6 should be published. It also sounds like there's a missing trigger that automatically notifies PSRT when someone else classifies a bug as a security bug. -- nosy: +ncoghlan ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Nick Coghlan added the comment: Confirming the fix is in the 3.3.4 tag: http://hg.python.org/cpython/file/7ff62415e426/Lib/test/test_socket.py#l4539 And the 3.4rc1 tag: http://hg.python.org/cpython/file/5e088cea8660/Lib/test/test_socket.py#l4708 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Roundup Robot added the comment: New changeset 5c4f4db8107c by Stefan Krah in branch '3.3': Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. http://hg.python.org/cpython/rev/5c4f4db8107c New changeset 9bbc3cc8ff4c by Stefan Krah in branch 'default': Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. http://hg.python.org/cpython/rev/9bbc3cc8ff4c New changeset b6c5a37b221f by Stefan Krah in branch '2.7': Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. http://hg.python.org/cpython/rev/b6c5a37b221f -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Stefan Krah added the comment: Thanks Ryan. As you say, the original segfault is also triggered with the shortened message. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Ryan Smith-Roberts added the comment: The send part of the test doesn't matter, since what's being tested happens before any reads. The MSG multiplier should be removed completely, since none of the other tests do that. Patch attached. -- Added file: http://bugs.python.org/file33573/recvfrom_into_small_buffer_test.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Stefan Krah added the comment: MSG*1024 passes. I did not look at this issue: Would changing the value to 1024 invalidate the test? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Stefan Krah added the comment: One test fails on FreeBSD 9.0 and 6.4: == ERROR: testRecvFromIntoSmallBuffer (test.test_socket.BufferIOTest) -- Traceback (most recent call last): File /usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py, line 259, in _tearDown raise exc File /usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py, line 271, in clientRun test_func() File /usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py, line 4690, in _testRecvFromIntoSmallBuffer self.serv_conn.send(MSG*2048) BrokenPipeError: [Errno 32] Broken pipe -- nosy: +skrah ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Ryan Smith-Roberts added the comment: Perhaps the test is sending an infeasibly large message. If you remove the '*2048' does it pass? (I set up a FreeBSD 9.2 amd64 VM but all tests are passing here). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
New submission from Ryan Smith-Roberts: recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end. I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable. Quickie trigger script, crash on interpreter exit: - BEGIN SEGFAULT - import socket r, w = socket.socketpair() w.send(b'X' * 1024) r.recvfrom_into(bytearray(), 1024) -- components: Extension Modules messages: 208062 nosy: rmsr priority: normal severity: normal status: open title: buffer overflow in socket.recvfrom_into type: crash versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Changes by Ryan Smith-Roberts r...@lab.net: Added file: http://bugs.python.org/file33453/recvfrom_into_buffer_overflow_2.7.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Changes by Ryan Smith-Roberts r...@lab.net: -- keywords: +patch Added file: http://bugs.python.org/file33452/recvfrom_into_buffer_overflow_3.4.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
R. David Murray added the comment: Everything before 2.7 is already out of even security maintenance, so you've already checked off everything it will get fixed in. -- nosy: +r.david.murray type: crash - security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20246] buffer overflow in socket.recvfrom_into
Roundup Robot added the comment: New changeset 87673659d8f7 by Benjamin Peterson in branch '2.7': complain when nbytes buflen to fix possible buffer overflow (closes #20246) http://hg.python.org/cpython/rev/87673659d8f7 New changeset 715fd3d8ac93 by Benjamin Peterson in branch '3.1': complain when nbytes buflen to fix possible buffer overflow (closes #20246) http://hg.python.org/cpython/rev/715fd3d8ac93 New changeset 9c56217e5c79 by Benjamin Peterson in branch '3.2': complain when nbytes buflen to fix possible buffer overflow (closes #20246) http://hg.python.org/cpython/rev/9c56217e5c79 New changeset 7f176a45211f by Benjamin Peterson in branch '3.3': merge 3.2 (#20246) http://hg.python.org/cpython/rev/7f176a45211f New changeset ead74e54d68f by Benjamin Peterson in branch 'default': merge 3.3 (#20246) http://hg.python.org/cpython/rev/ead74e54d68f New changeset 37ed85008f51 by Benjamin Peterson in branch 'default': merge 3.3 (#20246) http://hg.python.org/cpython/rev/37ed85008f51 -- nosy: +python-dev resolution: - fixed stage: - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20246 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com