Headline
CVE-2008-1721: Issue 2586: Integer signedness bugs in zlib modules
Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
Created on 2008-04-08 15:41 by jnferguson, last changed 2022-04-11 14:56 by admin. This issue is now closed.
Files
File name
Uploaded
Description
Edit
python-2.5.2-zlib-unflush-misallocation.py
jnferguson, 2008-04-08 15:41
python-2.5.2-zlib-unflush-signedness.py
jnferguson, 2008-04-08 15:42
Messages (7)
msg65171 - (view)
Author: Justin Ferguson (jnferguson)
Date: 2008-04-08 15:41
The zlib module in multiple places fails to adequately check the sanity of its arguments resulting in memory corruption, please see two attached PoCs.
msg65176 - (view)
Author: Raymond Hettinger (rhettinger) *
Date: 2008-04-08 16:04
Verified that the script crashes Python.
msg65191 - (view)
Author: Justin Ferguson (jnferguson)
Date: 2008-04-08 16:49
Just so you know, the scripts actually do two different things-- the bugs are both related to negative values though. One causes PyString_FromStringAndSize() to try an allocate zero bytes (the -24 one), the other causes like 22 bytes to get allocated and then takes advantage of the sign-conversion when the value is assigned to the zlib structure member (the member is unsigned, the value is signed)
Honestly, you guys should consider enforcing the safe downcast usage because signedness issues are all over your code base (as I’m sure you know)
msg65229 - (view)
Author: Alexander Belopolsky (belopolsky) *
Date: 2008-04-09 01:57
This has just been fixed in the trunk: r62235.
msg65230 - (view)
Author: Raymond Hettinger (rhettinger) *
Date: 2008-04-09 02:20
Thx
msg65302 - (view)
Author: David Remahl (chmod007)
Date: 2008-04-10 17:17
I submit that a check for negative values (non-assert-based) should be added to PyString_FromStringAndSize(). This API is called from many, many places, and in several cases the operand could probably be negative. It should raise an overflow exception for a negative value.
msg65303 - (view)
Author: Alexander Belopolsky (belopolsky) *
Date: 2008-04-10 17:34
On Thu, Apr 10, 2008 at 1:17 PM, David Remahl <[email protected]> wrote:
I submit that a check for negative values (non-assert-based) should be added to PyString_FromStringAndSize().
See issue2587 and r62262.
History
Date
User
Action
Args
2022-04-11 14:56:33
admin
set
github: 46838
2008-04-10 17:34:48
belopolsky
set
messages: + msg65303
2008-04-10 17:17:29
chmod007
set
nosy: + chmod007
messages: + msg65302
2008-04-09 02:20:17
rhettinger
set
status: open -> closed
resolution: fixed
messages: + msg65230
2008-04-09 01:57:09
belopolsky
set
nosy: + belopolsky
messages: + msg65229
2008-04-08 16:49:18
jnferguson
set
messages: + msg65191
2008-04-08 16:04:15
rhettinger
set
priority: critical
nosy: + rhettinger
messages: + msg65176
2008-04-08 15:42:05
jnferguson
set
files: + python-2.5.2-zlib-unflush-signedness.py
2008-04-08 15:41:40
jnferguson
create