CVE-2007-2052: #416934 - python2.5: off-by-one bug in strxfrm() (causes information leak)

Reported by: “Piotr Engelking” [email protected]

Date: Sat, 31 Mar 2007 15:03:02 UTC

Severity: important

Tags: patch, security

Found in version python2.5/2.5-5

Fixed in version 2.5.1-1

Done: Matthias Klose [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], Matthias Klose [email protected]:
Bug#416931; Package python2.4. (full text, mbox, link).

Acknowledgement sent to “Piotr Engelking” [email protected]:
New Bug report received and forwarded. Copy sent to Matthias Klose [email protected]. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: python2.4 Version: 2.4.4-2 Severity: important Tags: security patch

In Modules/_localemodule.c, PyLocale_strxfrm() miscalculates the length of the strxfrm() destination buffer, which causes the function to return a wrong string, and to read past the destination buffer, which may (and does) result in an information leak. The bug is also present in python2.5.

The attached patch fixes this problem.

– System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, ‘testing’) Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=pl_PL.UTF8 (charmap=UTF-8)

Versions of packages python2.4 depends on: ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libdb4.4 4.4.20-8 Berkeley v4.4 Database Libraries [ ii libncursesw5 5.5-5 Shared libraries for terminal hand ii libreadline5 5.2-2 GNU readline and history libraries ii libssl0.9.8 0.9.8c-4 SSL shared libraries ii mime-support 3.39-1 MIME files ‘mime.types’ & 'mailcap ii python2.4-minimal 2.4.4-2 A minimal subset of the Python lan

python2.4 recommends no packages.

– no debconf information

[strxfrm-leak.patch (text/x-patch, attachment)]

Bug 416931 cloned as bug 416934. Request was from “Piotr Engelking” [email protected] to [email protected]. (Sat, 31 Mar 2007 15:09:05 GMT) (full text, mbox, link).

Bug reassigned from package `python2.4’ to `python2.5’. Request was from “Piotr Engelking” [email protected] to [email protected]. (Sat, 31 Mar 2007 15:09:08 GMT) (full text, mbox, link).

Changed Bug title to python2.5: off-by-one bug in strxfrm() (causes information leak) from python2.4: off-by-one bug in strxfrm() (causes information leak). Request was from “Piotr Engelking” [email protected] to [email protected]. (Sat, 31 Mar 2007 15:09:10 GMT) (full text, mbox, link).

Bug marked as found in version 2.5-5. Request was from “Piotr Engelking” [email protected] to [email protected]. (Sat, 31 Mar 2007 17:27:02 GMT) (full text, mbox, link).

Information forwarded to [email protected], Matthias Klose [email protected]:
Bug#416934; Package python2.5. (full text, mbox, link).

Acknowledgement sent to Lubomir Kundrak [email protected]:
Extra info received and forwarded to list. Copy sent to Matthias Klose [email protected]. (full text, mbox, link).

Message #18 received at [email protected] (full text, mbox, reply):

Piotr: Could you please provide a reproducer, or a string/locale couple that triggered th bug for you?

In my system, when n1 returned by strxfrm() was equal to n2, the string was terminated with \0, only that it was truncated (so a subsequent attempt to read it did not lead to an out-of-bound read). Though the manual states that the behavior is undefined. I did not try it in Debian, but I can’t really imagine why would Debian’s glibc behave differently from Fedora’s one.

Btw. I can’t imagine a real-world situation where would this lead to an information disclosure. The return value of strxfrm() is never meant to be displayed to the user.

– Lubomir Kundrak (Red Hat Security Response Team)

Information forwarded to [email protected], Matthias Klose [email protected]:
Bug#416934; Package python2.5. (full text, mbox, link).

Acknowledgement sent to “Piotr Engelking” [email protected]:
Extra info received and forwarded to list. Copy sent to Matthias Klose [email protected]. (full text, mbox, link).

Message #23 received at [email protected] (full text, mbox, reply):

Lubomir Kundrak [email protected] wrote:

Piotr: Could you please provide a reproducer, or a string/locale couple that triggered th bug for you?

Ok, sorry for being so terse in the original report:

$ cat foo #!/usr/bin/python

import locale

print locale.setlocale(locale.LC_COLLATE, ‘pl_PL.UTF8’) print repr(locale.strxfrm(‘a’)) $ ./foo pl_PL.UTF8 ‘\x0c\x01\x08\x01\x02\x01\x18\x08\x10’ $

Here, ‘\x0c\x01\x08\x01\x02\x01’ comes from glibc’s strxfrm(), and the rest of the string is the contents of the memory immediately after the destination buffer. (It is also possible to get identifiable parts of the strings processed by the program before the strxfrm() call but I don’t have a reproducible test case for that.)

Btw. I can’t imagine a real-world situation where would this lead to an information disclosure. The return value of strxfrm() is never meant to be displayed to the user.

Real-world case, and how I have found the bug in the first place: a webapp that allows an user to upload some strings to the server, and other users to view them and sort them in various ways. Since Javascript doesn’t have support for locale-aware string comparison, each string carries a sorting key, which is the return value of strxfrm(), and which is visible in the page source.

Reply sent to Matthias Klose [email protected]:
You have taken responsibility. (full text, mbox, link).

Notification sent to “Piotr Engelking” [email protected]:
Bug acknowledged by developer. (full text, mbox, link).

Message #28 received at [email protected] (full text, mbox, reply):

Version: 2.5.1-1

Fixed in 2.5.1-1

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Sun, 08 Jul 2007 07:41:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Wed Aug 2 18:08:04 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.