StarlingX

CVE: CVE-2021-3177 - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Bug #1987927 reported by Joe Slater
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

From NIST:

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

The problem occurs for python2 as well. A specific example is a coredump when executing

>>> c_double.from_param(1e300)

Joe Slater (jslater0wind)
Changed in starlingx:
assignee: nobody → Joe Slater (jslater0wind)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to compile (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/compile/+/854851

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
tags: added: stx.security
information type: Public → Public Security
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.8.0
Ghada Khalil (gkhalil)
summary: - CVE: CVE-2021-3177 - python
+ CVE: CVE-2021-3177 - python: Stack-based buffer overflow in PyCArg_repr
+ in _ctypes/callproc.c
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to compile (master)

Reviewed: https://review.opendev.org/c/starlingx/compile/+/854851
Committed: https://opendev.org/starlingx/compile/commit/110035d8fc450117c389d156242269bc54f31a3a
Submitter: "Zuul (22348)"
Branch: master

commit 110035d8fc450117c389d156242269bc54f31a3a
Author: Joe Slater <email address hidden>
Date: Fri Aug 26 11:46:44 2022 -0400

    python: Fix CVE-2021-3177

    A buffer overflow can occur when calling c_double.from_param().

    Advance to python-2.7.5-92.el7_9.src.rpm. Fixes CVE-2019-20907,
    CVE-2020-26116, and CVE-2022-0391 as well.

    === Testing
    Build and boot iso; log in.

    $ python
    >>> from ctypes import c_double
    >>> c_double.from_param(1e300)

    The last line will cause python to abort if the fix
    has not been applied.

    Ran ansible to provision system. Unlocked. Rebooted to unlocked
    and enabled host-list status.
    ===

    Closes-bug: 1987927
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: Idbc681581b48e05ebacdfe873d95d0a342a232ea

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.