Ubuntu
python3.6 package

CVE-2021-3177: buffer overflow when parsing floats

Bug #1916480 reported by quazgar
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python3.6 (Ubuntu)
Confirmed
Undecided
Unassigned
python3.8 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

See also https://ubuntu.com/security/CVE-2021-3177.

Fixed in 3.6.13.

CVE References

quazgar (quazgar)
information type: Private Security → Public Security
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hey there,

There is a security update on going about this issue. Soon it's well tested we will publish it.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python3.6 (Ubuntu):
status: New → Confirmed
Changed in python3.8 (Ubuntu):
status: New → Confirmed
Nanush (nanush7-deactivatedaccount)
Changed in python3.8 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
quazgar (quazgar) wrote :

Just asking about the expected time the "well testing" is going to take for 3.6, so we can plan our server updates. For 3.8 the fix was released over a week ago.

Revision history for this message
quazgar (quazgar) wrote :

OK, according to https://ubuntu.com/security/CVE-2021-3177, the updated version has been released already, and the updated package show up in the repositores. So probably this bug can be closed?

Revision history for this message
sgubuntuuser (sgubuntuuser) wrote :

We have ran apt upgrade in our Ubuntu 18.04 systems and systems are up to date now. However, the vulnerability tools still show up that vulnerability is existing. Also when checking the Python3 version in systems it shows 3.6.9. As per the following page, the fixed version must be 3.6.9-1. Can anyone help on this? Thank you

https://ubuntu.com/security/CVE-2021-3177

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1916480] Re: CVE-2021-3177: buffer overflow when parsing floats

On Sat, Jun 12, 2021 at 03:15:10PM -0000, sgubuntuuser wrote:
> We have ran apt upgrade in our Ubuntu 18.04 systems and systems are up
> to date now. However, the vulnerability tools still show up that
> vulnerability is existing. Also when checking the Python3 version in
> systems it shows 3.6.9. As per the following page, the fixed version
> must be 3.6.9-1. Can anyone help on this? Thank you
>
> https://ubuntu.com/security/CVE-2021-3177

Hello, I'm unable to reproduce what your tool is reporting:

root@u18:~# dpkg -l python3.6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture
+++-=====================================-=======================-============
ii python3.6 3.6.9-1~18.04ubuntu1.4 amd64
root@u18:~# python3
Python 3.6.9 (default, Jan 26 2021, 15:33:00)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> c_double.from_param(1e300)
<cparam 'd' (1e+300)>
>>>

How is your tool determining that this isn't fixed?

Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.