Python存在多个缓冲区溢出漏洞

基本字段

漏洞编号:
SSV-3800
披露/发现时间:
未知
提交时间:
2008-08-07
漏洞等级:
漏洞类别:
远程溢出
影响组件:
Python
漏洞作者:
未知
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 Knownsec 共获得  0KB

BUGTRAQ ID: 30491 CVE ID:CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CNCVE ID:CNCVE-20082315 CNCVE-20082316 CNCVE-20083142 CNCVE-20083143 CNCVE-20083144

Python是一款开放源代码的脚本编程语言。 Python中存在多个整数溢出漏洞,远程攻击者可以利用漏洞对应用程序进行拒绝服务或者任意代码执行攻击。 1) stringobject、unicodeobject、bufferobject、longobject、tupleobject、stropmodule、gcmodule、mmapmodule等核心模块中存在各种整数溢出。 2) hashlib模块中的整数溢出可导致不可信的加密摘要结果。 3) 在处理unicode字符串时unicode_resize()中的整数溢出可能在32位系统上出现缓冲区溢出错误。以下是有漏洞的代码段:

static int unicode_resize(register PyUnicodeObject *unicode, Py_ssize_t length) { [...]

oldstr = unicode->str;
PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1);

[...] unicode->str[length] = 0; unicode->length = length;

#define PyMem_RESIZE(p, type, n) \ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ( (p) = (type ) PyMem_REALLOC((p), (n) sizeof(type)) ) )

4) 在没有vsnprintf()函数的架构上,PyOS_vsnprintf()函数中存在整数溢出漏洞。以下是有漏洞的代码段:

int PyOS_vsnprintf(char str, size_t size, const char format, va_list va) { int len; / # bytes written, excluding \0 / [...] assert(str != NULL); assert(size > 0); assert(format != NULL);

[...] / Emulate it. / buffer = PyMem_MALLOC(size + 512); if (buffer == NULL) { len = -666; goto Done; }

    len = vsprintf(buffer, format, va);
    if (len &lt; 0)
            /* ignore the error */;

    else if ((size_t)len &gt;= size + 512)
            Py_FatalError(&quot;Buffer overflow in

PyOS_snprintf/PyOS_vsnprintf");

    else {
            const size_t to_copy = (size_t)len &lt; size ?
                                    (size_t)len : size - 1;
            assert(to_copy &lt; size);
            memcpy(str, buffer, to_copy);
            str[to_copy] = '\0';
    }
    PyMem_FREE(buffer);

Done: [...] str[size-1] = '\0'; return len; }

5) 当0长度的字符串发送给PyOS_vsnprintf()函数,就可能触发整数溢出,导致内存破坏。以下是有漏洞的代码段:

int PyOS_vsnprintf(char str, size_t size, const char format, va_list va) { int len; / # bytes written, excluding \0 /

#ifndef HAVE_SNPRINTF char *buffer;

#endif assert(str != NULL); assert(size > 0); assert(format != NULL); [...] len = vsnprintf(str, size, format, va); [...] str[size-1] = '\0'; return len; }

Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 lpia Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 12.1 Slackware Linux 12.0 Slackware Linux 11.0 Slackware Linux -current Python Software Foundation Python 2.5.2 Python Software Foundation Python 2.5.1 Python Software Foundation Python 2.4.4 Python Software Foundation Python 2.4.3

  • Trustix Secure Linux 3.0.5 Python Software Foundation Python 2.4.2 Python Software Foundation Python 2.4.1 Python Software Foundation Python 2.4 Python Software Foundation Python 2.3.6 Python Software Foundation Python 2.3.5 Python Software Foundation Python 2.3.4
  • MandrakeSoft Linux Mandrake 10.1 x86_64
  • MandrakeSoft Linux Mandrake 10.1
  • S.u.S.E. Linux Personal 9.2 x86_64
  • S.u.S.E. Linux Personal 9.2
  • Ubuntu Ubuntu Linux 4.1 ppc
  • Ubuntu Ubuntu Linux 4.1 ia64
  • Ubuntu Ubuntu Linux 4.1 ia32 Python Software Foundation Python 2.3.3
  • MandrakeSoft Corporate Server 3.0 x86_64
  • MandrakeSoft Corporate Server 3.0
  • MandrakeSoft Linux Mandrake 10.0 AMD64
  • MandrakeSoft Linux Mandrake 10.0
  • MandrakeSoft Linux Mandrake 9.2 amd64
  • MandrakeSoft Linux Mandrake 9.2
  • S.u.S.E. Linux Personal 9.0 x86_64
  • S.u.S.E. Linux Personal 9.0 Python Software Foundation Python 2.3.2 Python Software Foundation Python 2.3.1 Python Software Foundation Python 2.3 b1 Python Software Foundation Python 2.3
  • S.u.S.E. Linux Personal 9.0 x86_64
  • S.u.S.E. Linux Personal 9.0 Python Software Foundation Python 2.2.3
  • RedHat Desktop 3.0
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux WS 3
  • Ubuntu Ubuntu Linux 4.1 ppc
  • Ubuntu Ubuntu Linux 4.1 ia64
  • Ubuntu Ubuntu Linux 4.1 ia32 Python Software Foundation Python 2.2.2
  • OpenPKG OpenPKG 1.2
  • RedHat Linux 7.3
  • S.u.S.E. Linux Personal 8.2 Python Software Foundation Python 2.2.1
  • Debian Linux 3.0 sparc
  • Debian Linux 3.0 s/390
  • Debian Linux 3.0 ppc
  • Debian Linux 3.0 mipsel
  • Debian Linux 3.0 mips
  • Debian Linux 3.0 m68k
  • Debian Linux 3.0 ia-64
  • Debian Linux 3.0 ia-32
  • Debian Linux 3.0 hppa
  • Debian Linux 3.0 arm
  • Debian Linux 3.0 alpha
  • Debian Linux 3.0
  • Gentoo Linux 1.4 _rc1
  • Gentoo Linux 1.2
  • MandrakeSoft Corporate Server 2.1 x86_64
  • MandrakeSoft Corporate Server 2.1
  • MandrakeSoft Linux Mandrake 9.0
  • OpenPKG OpenPKG 1.1
  • S.u.S.E. Linux 8.1 Python Software Foundation Python 2.2
  • Conectiva Linux 8.0
  • MandrakeSoft Linux Mandrake 8.2 ppc
  • MandrakeSoft Linux Mandrake 8.2
  • MandrakeSoft Linux Mandrake 8.1 ia64
  • MandrakeSoft Linux Mandrake 8.1 Python Software Foundation Python 2.1.3
  • Debian Linux 3.0 Python Software Foundation Python 2.1.2 Python Software Foundation Python 2.1.1
  • RedHat Linux 7.2
  • Sun Linux 5.0.7 Python Software Foundation Python 2.1
  • Conectiva Linux 7.0
  • Debian Linux 3.1 sparc
  • Debian Linux 3.1 s/390
  • Debian Linux 3.1 ppc
  • Debian Linux 3.1 mipsel
  • Debian Linux 3.1 mips
  • Debian Linux 3.1 m68k
  • Debian Linux 3.1 ia-64
  • Debian Linux 3.1 ia-32
  • Debian Linux 3.1 hppa
  • Debian Linux 3.1 arm
  • Debian Linux 3.1 amd64
  • Debian Linux 3.1 alpha
  • Debian Linux 3.1
  • Debian Linux 3.0 sparc
  • Debian Linux 3.0 s/390
  • Debian Linux 3.0 ppc
  • Debian Linux 3.0 mipsel
  • Debian Linux 3.0 mips
  • Debian Linux 3.0 m68k
  • Debian Linux 3.0 ia-64
  • Debian Linux 3.0 ia-32
  • Debian Linux 3.0 hppa
  • Debian Linux 3.0 arm
  • Debian Linux 3.0 alpha
  • Debian Linux 3.0 Python Software Foundation Python 2.0.1 Python Software Foundation Python 2.0
  • MandrakeSoft Linux Mandrake 8.0 ppc
  • MandrakeSoft Linux Mandrake 8.0 Python Software Foundation Python 2.5 Gentoo Linux Gentoo

Gentoo可参考如下安全公告获得相应补丁: http://security.gentoo.org/glsa/glsa-200807-16.xml Python 2.4用户应升级到最新版本:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/python-2.4.4-r14&quot;

Python 2.5用户应升级到最新版本:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/python-2.5.2-r6&quot;

Python已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://svn.python.org/view?rev=65335&view=rev

共 0  兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

官方解决方案

升级到最新无漏洞版本

防护方案

人气 867
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负