Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                    ESB-2008.0382 -- [Win][UNIX/Linux]
            Multiple buffer overflow vulnerabilities in Python
                               15 April 2008


        AusCERT Security Bulletin Summary

Product:              Python 2.5.2 and prior
Publisher:            IOActive
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
Access:               Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

Title: Incorrect input validation in PyString_FromStringAndSize() 
       leads to multiple buffer overflows
Date Discoverd: ??-April-2008
Date Reported: 08-April-2008
Date Patched: 09-April-2008
Date Disclosed: 11-April-2008
Criticality: High 

Affected Products
- -----------------

Python 2.5.2, earlier and unstable version are likely to be vulnerable

- --------

The Python core API provides multiple functions for the allocation
of string objects, specifically providing an API call that allows
for either the allocation or reallocation of a PyStringObject.
This function, PyString_FromStringAndSize() takes two parameters:
a pointer and a signed integer. If the pointer is non-NULL then
the memory pointed to it is reallocated to the size specified
by the second parameter. If the pointer is NULL then the number
of bytes specified by the integer are allocated and returned.

During the course of its operations this second parameter is not
validated to contain a positive value. This in turn is summed
with the size of a PyStringObject and passed as a length to an
allocation function, potentially missallocating memory.

The result of this was multiple buffer overflows in various
components such as the previously disclosed zlib bug, the SSL
module, et cetera. Furthermore, a Python developer, Alexander 
Belopolsky noted that the functions PyBytes_FromStringAndSize()
and PyUnicode_FromStringAndSize() contained the same 

Techical Details
- -----------------


52  PyObject *
53  PyString_FromStringAndSize(const char *str, Py_ssize_t size)
54  {                                                           
55          register PyStringObject *op;
56          assert(size >= 0);
57          if (size == 0 && (op = nullstring) != NULL) {
63          }
64          if (size == 1 && str != NULL &&
65              (op = characters[*str & UCHAR_MAX]) != NULL)
66          {
72          }
74          /* Inline PyObject_NewVar */
75 op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) +

The type Py_ssize_t is defined to be one of a number of types dependant
on platform, however it regardless of platform it will be signed. There
is an assert() at line 56 that attempts to verify the sanity of the
second parameter however in non-debug builds the assert() is omitted.
Then at line 75 the size parameter and the size of a string object
are summed together and passed as a parameter to PyObject_MALLOC(). 

Reproduction / Proof-of-Concept
- -------------------------------

When the length variable contains a value of -24 then the allocator is
told to reserve 0 bytes of memory, however the allocator modifies 
the request and will allocate one byte of memory. For values ranging 
between -2 and -23 a small amount of memory will be allocated due 
to being summed with the size of a PyStringObject. Because of this 
being an API call, exploitation beyond that is dependant on the 
caller and current environment.

- -----------

This bug was patched in CVS, patching all three object types. 
Further details can be found at http://bugs.python.org/issue2587
and http://svn.python.org/view?rev=62271&view=rev and 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967