Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.

Reported by: "Piotr Engelking" <inkerman42@gmail.com>

Date: Sat, 31 Mar 2007 15:03:02 UTC

Severity: important

Tags: patch, security

Found in version python2.5/2.5-5

Fixed in version 2.5.1-1

**Done:** Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416931; Package python2.4. (full text, mbox, link).

**Acknowledgement sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: python2.4
Version: 2.4.4-2
Severity: important
Tags: security patch

In Modules/\_localemodule.c, PyLocale\_strxfrm() miscalculates the length of
the strxfrm() destination buffer, which causes the function to return a
wrong string, and to read past the destination buffer, which may (and does)
result in an information leak. The bug is also present in python2.5.

The attached patch fixes this problem.


-- System Information:
Debian Release: 4.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (x86\_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC\_CTYPE=pl\_PL.UTF8 (charmap=UTF-8)

Versions of packages python2.4 depends on:
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdb4.4                    4.4.20-8     Berkeley v4.4 Database Libraries \[
ii  libncursesw5                5.5-5        Shared libraries for terminal hand
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries
ii  mime-support                3.39-1       MIME files 'mime.types' & 'mailcap
ii  python2.4-minimal           2.4.4-2      A minimal subset of the Python lan

python2.4 recommends no packages.

-- no debconf information

\[strxfrm-leak.patch (text/x-patch, attachment)\]

**Bug 416931 cloned as bug 416934.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:05 GMT) (full text, mbox, link).

**Bug reassigned from package \`python2.4' to \`python2.5'.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:08 GMT) (full text, mbox, link).

**Changed Bug title to python2.5: off-by-one bug in strxfrm() (causes information leak) from python2.4: off-by-one bug in strxfrm() (causes information leak).** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:10 GMT) (full text, mbox, link).

**Bug marked as found in version 2.5-5.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 17:27:02 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416934; Package python2.5. (full text, mbox, link).

**Acknowledgement sent** to Lubomir Kundrak <lkundrak@redhat.com>:  
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #18 received at 416934@bugs.debian.org (full text, mbox, reply):

Piotr: Could you please provide a reproducer, or a string/locale couple
that triggered th bug for you?

In my system, when n1 returned by strxfrm() was equal to n2, the string
was terminated with \\0, only that it was truncated (so a subsequent
attempt to read it did not lead to an out-of-bound read). Though the
manual states that the behavior is undefined. I did not try it in
Debian, but I can't really imagine why would Debian's glibc behave
differently from Fedora's one.

Btw. I can't imagine a real-world situation where would this lead to an
information disclosure. The return value of strxfrm() is never meant to
be displayed to the user.

-- 
Lubomir Kundrak (Red Hat Security Response Team)

**Information forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416934; Package python2.5. (full text, mbox, link).

**Acknowledgement sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #23 received at 416934@bugs.debian.org (full text, mbox, reply):

Lubomir Kundrak <lkundrak@redhat.com> wrote:
> Piotr: Could you please provide a reproducer, or a string/locale couple
> that triggered th bug for you?

Ok, sorry for being so terse in the original report:

$ cat foo
#!/usr/bin/python

import locale

print locale.setlocale(locale.LC\_COLLATE, 'pl\_PL.UTF8')
print repr(locale.strxfrm('a'))
$ ./foo
pl\_PL.UTF8
'\\x0c\\x01\\x08\\x01\\x02\\x01\\x18\\x08\\x10'
$

Here, '\\x0c\\x01\\x08\\x01\\x02\\x01' comes from glibc's strxfrm(), and the
rest of the string is the contents of the memory immediately after the
destination buffer. (It is also possible to get identifiable parts of
the strings processed by the program before the strxfrm() call but I
don't have a reproducible test case for that.)

> Btw. I can't imagine a real-world situation where would this lead to an
> information disclosure. The return value of strxfrm() is never meant to
> be displayed to the user.

Real-world case, and how I have found the bug in the first place: a
webapp that allows an user to upload some strings to the server, and
other users to view them and sort them in various ways. Since
Javascript doesn't have support for locale-aware string comparison,
each string carries a sorting key, which is the return value of
strxfrm(), and which is visible in the page source.

**Reply sent** to Matthias Klose <doko@cs.tu-berlin.de>:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
Bug acknowledged by developer. (full text, mbox, link).

Message #28 received at 416934-done@bugs.debian.org (full text, mbox, reply):

Version: 2.5.1-1

Fixed in 2.5.1-1

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Jul 2007 07:41:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Wed Aug 2 18:08:04 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2007-2052: #416934 - python2.5: off-by-one bug in strxfrm() (causes information leak)

Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a "stack overflow," and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function.  NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.

**Sun4U Company**

“We run a datacenter/hostingcenter in Denmark and are currently running with two Protectors (P1000's) - we handle email for 109 domains, that would be between 550 and 1500 email adresses. Our monthly message handling is between 10000 and 20000 emails. The system has an overall great performance, and it really DOES take care of SPAM and Viruses. I can only recommend the solution.”

**Verity Global Solutions Pvt Ltd**

“As a leading provider of business process outsourcing solutions, Verity Global Solutions helps mortgage organizations do more with less, so they can scale quickly and grow business. Verity supports every task associated with originating, servicing and purchasing loans—leveraging automation to reduce process turn times and costs while enhancing loan quality. Our global team works seamlessly behind the scenes, 24/7, allowing clients to close, sell and service loans faster than they could ever imagine.”

**Pensec**

“I have to say this in my over 15 years of working in the IT filed I have never encountered such a group as yourselves dedicated to finding solutions to your customers needs and raised issues. I foresee you guys as being not one a leader in the field overseas but in time throughout the world wont be long before SecPoint becomes a world leader and first most innovator of Network security solutions ! - Lance Leonaitis”

CVE-2006-1542: SecPoint | Vulnerability Scanning | UTM Firewall

ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.

Index: modules/ssl/ssl\_engine\_kernel.c =================================================================== --- modules/ssl/ssl\_engine\_kernel.c (revision 264993) +++ modules/ssl/ssl\_engine\_kernel.c (working copy) @@ -406,8 +406,8 @@ (!(verify\_old & SSL\_VERIFY\_PEER) && (verify & SSL\_VERIFY\_PEER)) || - (!(verify\_old & SSL\_VERIFY\_PEER\_STRICT) && - (verify & SSL\_VERIFY\_PEER\_STRICT))) + (!(verify\_old & SSL\_VERIFY\_FAIL\_IF\_NO\_PEER\_CERT) && + (verify & SSL\_VERIFY\_FAIL\_IF\_NO\_PEER\_CERT))) { renegotiate = TRUE; /\* optimization \*/

CVE-2005-2700

mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop.

Skip to content

*   *   Console
    *   Support
    *   Developers
    *   Partner Connect
    *   redhat.com
    *   Start a trial
    

Contact us

Welcome,

Log in to your Red Hat account

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

*   Customer Portal
*   User management

*   Certification Central

Register now

Not registered yet? Here are a few reasons why you should be:

*   Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
*   View users in your organization, and edit their account information, preferences, and permissions.
*   Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Log out

Account Log in

*   Products
*   Solutions
*   Services & support
*   Resources
*   Partners
*   About

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

**Check out our support channels**

**Have questions?**

CVE-2004-0748: Support

The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.

Several vulnerabilities have been found in Apache 2 and mod\_dav for Apache 1.3 which could allow a remote attacker to cause a Denial of Service or a local user to get escalated privileges.

The Apache HTTP server is one of most popular web servers on the internet. mod\_ssl provides SSL v2/v3 and TLS v1 support for it and mod\_dav is the Apache module for Distributed Authoring and Versioning (DAV).

A potential infinite loop has been found in the input filter of mod\_ssl (CAN-2004-0748) as well as a possible segmentation fault in the char\_buffer\_read function if reverse proxying to a SSL server is being used (CAN-2004-0751). Furthermore, mod\_dav, as shipped in Apache httpd 2 or mod\_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can be triggered remotely (CAN-2004-0809). The third issue is an input validation error found in the IPv6 URI parsing routines within the apr-util library (CAN-2004-0786). Additionally a possible buffer overflow has been reported when expanding environment variables during the parsing of configuration files (CAN-2004-0747).

A remote attacker could cause a Denial of Service either by aborting a SSL connection in a special way, resulting in CPU consumption, by exploiting the segmentation fault in mod\_ssl or the mod\_dav flaw. A remote attacker could also crash a httpd child process by sending a specially crafted URI. The last vulnerabilty could be used by a local user to gain the privileges of a httpd child, if the server parses a carefully prepared .htaccess file.

There is no known workaround at this time.

All Apache 2 users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=www-servers/apache-2.0.51"
 # emerge ">=www-servers/apache-2.0.51"

All mod\_dav users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=net-www/mod\_dav-1.0.3-r2"
 # emerge ">=net-www/mod\_dav-1.0.3-r2"

CVE-2004-0809: Multiple vulnerabilities (GLSA 200409-21) — Gentoo security

Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.

CVE-2004-0488: Bugtraq

X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.

CVE-2003-1229

The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.

Tag

#ssl