[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: I thought it was one error, and not two. The updated patch adds tests and fixes minor mistake. 2.7 is not affected by main security issue, but it contains one of mentioned bugs (read 1 byte outside of the input array). A patch for 2.7 fixes this bug and also

[issue14579] Vulnerability in the utf-16 decoder after error handling

Henri Salo added the comment: I tested versions 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.1.5 and only 3.1.3 crashed with Segmentation fault: Program received signal SIGSEGV, Segmentation fault. 0x004c483a in PyObject_Call (func=0x77e4d3b0, arg=0x770fd410, kw=0x0) at Objects/abstract.c

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Antoine Pitrou : -- nosy: +benjamin.peterson ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://

[issue14579] Vulnerability in the utf-16 decoder after error handling

Henri Salo added the comment: Debian bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670389 Found in versions python3-defaults/3.2.3~rc1-2, python3-defaults/3.1.3-12+squeeze1 -- nosy: +Henri.Salo ___ Python tracker

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Kurt Seifried : -- nosy: -kseifr...@redhat.com ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http

[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: I now write tests and I have a question. Should b'\xd8\x00\x41'.decode('utf-16be', 'replace') to give '\xfffd' or '\xfffd\xfffd'? -- ___ Python tracker ___

[issue14579] Vulnerability in the utf-16 decoder after error handling

Huzaifa Sidhpurwala added the comment: I have not tried the patch yet, but modifying the reproducer yields a different crash. This one seems to be a heap-based buffer overflow which is slightly more serious. In the reproducer, you just need to replace ascii() with str(). Again works on pytho

[issue14579] Vulnerability in the utf-16 decoder after error handling

Kurt Seifried added the comment: Please use CVE-2012-2135 for this issue as per http://www.openwall.com/lists/oss-security/2012/04/25/3 -- nosy: +kseifr...@redhat.com ___ Python tracker __

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Serhiy Storchaka : -- title: Possible vulnerability in the utf-16 decoder after error handling -> Vulnerability in the utf-16 decoder after error handling ___ Python tracker

[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: > I think the same issue also applies to the ASCII decoder in 3.3. No, the ASCII decoder is not affected by this vulnerability. In a loop, in which unicode_decode_call_errorhandler is called, do not use any cached and not-updatable data. --

[issue14579] Vulnerability in the utf-16 decoder after error handling

Martin v. Löwis added the comment: Now I see the problem: make_decode_exception creates a new bytes object in any case, regardless of whether the error handler will update it or not. Therefore, decoding will continue in this new bytes object. I think the same issue also applies to the ASCII d

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Andrew Svetlov : -- nosy: +asvetlov ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pyth

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Serhiy Storchaka : Added file: http://bugs.python.org/file25295/utf16_update_after_error-3.2.patch ___ Python tracker ___ ___ Pytho

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Serhiy Storchaka : Removed file: http://bugs.python.org/file25293/utf16_error_handling-3.2.patch ___ Python tracker ___ ___ Python-

[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: Here is a minimal patch that corrects all bugs for 3.2. As a side effect, decoding is accelerated by 4-8%. -- Added file: http://bugs.python.org/file25294/utf16_error_handling-3.2.patch ___ Python tracker

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Serhiy Storchaka : Added file: http://bugs.python.org/file25293/utf16_error_handling-3.2.patch ___ Python tracker ___ ___ Python-bu

[issue14579] Vulnerability in the utf-16 decoder after error handling

Martin v. Löwis added the comment: > You're right, and my eyes in a lather. Now I saw it. > > What you have to offer any comment? If someone would correct a comment > for decode_utf8_errors, I just copied it. "might have changed the input object" >> Why this is relevant to this issue, is uncl

[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: > So this adjustment is necessary because the *input* may change in the > callback, > not because the output may change. So the comment in decode_utf8_errors seems > just as wrong. You're right, and my eyes in a lather. Now I saw it. What you have to offer

[issue14579] Vulnerability in the utf-16 decoder after error handling

Martin v. Löwis added the comment: [moving from Rietveld back to Roundup] On 2012/04/20 11:15:48, storchaka wrote: > The `aligned_end` may point outside unicode object, > if the unicode object was reallocated. How so? The aligned_end *never* points into the unicode object: q = (unsigned char

[issue14579] Vulnerability in the utf-16 decoder after error handling

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: The proposed patch will fix only the first of these bugs. The patch in issue #14624 fixes all bugs for Python 3.3. For Python 3.2 soon I will make a patch. -- ___ Python tracker

[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka added the comment: Here is the bugs in the utf-16 decoder: 1. `aligned_end` is not updated after calling error handler. 2. Possible silent reading of one byte over the bytes array limit when decoding of a surrogate pair. b'\xD8\x00\xDC'.decode('utf-16be') 3. Error handlers r