Bug 18691 - python/python3 new security issues CVE-2016-0772, CVE-2016-5636, CVE-2016-5699
Summary: python/python3 new security issues CVE-2016-0772, CVE-2016-5636, CVE-2016-5699
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/692378/
Whiteboard: has_procedure advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-12 11:14 CEST by Philippe Makowski
Modified: 2016-06-22 19:34 CEST (History)
7 users (show)

See Also:
Source RPM: python-2.7.9-2.mga5.src python3-3.4.3-1.1.mga5.src
CVE:
Status comment:


Attachments
Test script from Comment 2 (513 bytes, text/plain)
2016-06-16 09:58 CEST, Lewis Smith
Details

Description Philippe Makowski 2016-06-12 11:14:08 CEST
In zipimport module,
if compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1,
then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap,
but after that in fread, it overflows heap.


A CVE have to be assigned for a security issue fixed upstream in python and python3

http://openwall.com/lists/oss-security/2016/06/11/2
Comment 1 Marja Van Waes 2016-06-13 11:25:00 CEST
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Philippe Makowski 2016-06-13 14:21:03 CEST
Updated packages uploaded for Mageia 5 and Cauldron
https://bugs.python.org/issue26171 have a link to https://bugs.python.org/file41677/crash.py to test the issue.


Advisory:
========================

Updated python and python3 packages fixes security vulnerability:

Heap overflow in zipimporter module.
In zipimport module,
if compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1,
then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap,
but after that in fread, it overflows heap.

References:
- http://openwall.com/lists/oss-security/2016/06/11/2
- https://bugs.python.org/issue26171

Updated packages in core/updates_testing:
========================
lib64python3.4-3.4.3-1.2.mga5
tkinter3-3.4.3-1.2.mga5
tkinter3-apps-3.4.3-1.2.mga5
lib64python3-devel-3.4.3-1.2.mga5
libpython3-devel-3.4.3-1.2.mga5
python3-3.4.3-1.2.mga5
tkinter3-3.4.3-1.2.mga5
tkinter3-apps-3.4.3-1.2.mga5
python3-docs-3.4.3-1.2.mga5.noarch
python3-3.4.3-1.2.mga5
libpython3.4-3.4.3-1.2.mga5

python-2.7.9-2.1.mga5
libpython2.7-2.7.9-2.1.mga5
python-docs-2.7.9-2.1.mga5.noarch
tkinter-2.7.9-2.1.mga5
tkinter-apps-2.7.9-2.1.mga5
lib64python-devel-2.7.9-2.1.mga5
python-2.7.9-2.1.mga5
lib64python2.7-2.7.9-2.1.mga5
tkinter-2.7.9-2.1.mga5
libpython-devel-2.7.9-2.1.mga5
tkinter-apps-2.7.9-2.1.mga5

from python3-3.4.3-1.2.mga5.src and python-2.7.9-2.1.mga5.src

Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2016-06-15 13:43:12 CEST
More security issues have been posted to oss-security, you might want to have a look at those first.

HTTP header injection in urrlib2/urllib/httplib/http.client:
http://openwall.com/lists/oss-security/2016/06/15/12

CVE-2016-0772: smtplib StartTLS stripping attack:
http://openwall.com/lists/oss-security/2016/06/14/9

Summary: heap overflow in zipimporter module => Python: heap overflow in zipimporter module

Comment 4 David Walser 2016-06-15 16:29:50 CEST
CVE request for the original issue has been re-sent:
http://openwall.com/lists/oss-security/2016/06/15/15

CC: (none) => luigiwalser

Comment 5 Lewis Smith 2016-06-16 09:58:06 CEST
Created attachment 8000 [details]
Test script from Comment 2

From https://bugs.python.org/file41677/crash.py
Script to test the reported bug.

CC: (none) => lewyssmith

Comment 6 Lewis Smith 2016-06-16 10:10:32 CEST
Trying M5 x64

BEFORE the update:
$ python crash.py 
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
IOError: zipimport: can't read data
Segmentation fault

$ python3 crash.py 
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
OSError: zipimport: can't read data

AFTER the update:
 python-2.7.9-2.1.mga5
 lib64python2.7-2.7.9-2.1.mga5
 tkinter-2.7.9-2.1.mga5
$ python crash.py 
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
IOError: zipimport: can't read data
Segmentation fault

 python3-3.4.3-1.2.mga5
 lib64python3.4-3.4.3-1.2.mga5
 tkinter3-3.4.3-1.2.mga5
$ python3 crash.py 
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
OSError: zipimport: can't read data

Same behaviour. I wonder whether you are supposed to give the test script a zip file? It cites 2 files:
 FILE = 'payload'
 ZIP = 'import.zip'
both of which the script creates.
Comment 7 Len Lawrence 2016-06-16 12:20:24 CEST
Just experimenting to see if I can help.

No, as far as I can make out, the script writes the payload data to a file (length 1008 bytes) and then compresses the payload (read back from disk?) and writes it to disk as a zipped file.

In the second stage it appears to read the file import.zip and try to unzip it.
Not at all sure what is going on there.  Tried to sidestep the fault by using a real file length (f[2] = 1008) but it still failed:

$ python crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
zlib.error: Error -3 while decompressing data: invalid stored block lengths


This is before any update.  Leaving that to you but keeping an eye on developments.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2016-06-16 13:03:06 CEST
Weirdness.  The zipped file does not look as if it has been compressed at all.
$ ls -l import.zip
-rw-r--r-- 1 lcl lcl 1120 Jun 16 11:24 import.zip
[lcl@belexeuli ~/Downloads]$ od -a import.zip
0000000   P   K etx eot dc4 nul nul nul nul nul nul   [   P   H   -   ~
0000020   9  ff   p etx nul nul   p etx nul nul bel nul nul nul   p   a
0000040   y   l   o   a   d   A   A   A   A   A   A   A   A   A   A   A
0000060   A   A   A   A   A   A   A   A   A   A   A   A   A   A   A   A
*
0002020   A nul nul nul nul   P   K soh stx dc4 etx dc4 nul nul nul nul
0002040 nul nul   [   P   H   -   ~   9  ff   p etx nul nul   p etx nul
0002060 nul bel nul nul nul nul nul nul nul nul nul nul nul   $ soh nul
0002100 nul nul nul   p   a   y   l   o   a   d   P   K enq ack nul nul
0002120 nul nul soh nul soh nul   5 nul nul nul nak eot nul nul nul nul
0002140

It is bigger than the payload and contains all of the payload data in ASCII format.  This is with the original PoC script.
Comment 9 David Walser 2016-06-16 13:21:28 CEST
(In reply to David Walser from comment #3)
> HTTP header injection in urrlib2/urllib/httplib/http.client:
> http://openwall.com/lists/oss-security/2016/06/15/12

More details:
http://www.openwall.com/lists/oss-security/2016/06/15/17
Comment 10 David Walser 2016-06-16 14:55:20 CEST
(In reply to David Walser from comment #4)
> CVE request for the original issue has been re-sent:
> http://openwall.com/lists/oss-security/2016/06/15/15

CVE-2016-5636 has been assigned:
http://openwall.com/lists/oss-security/2016/06/16/1

feedback tag added so Philippe can address the other issues in Comment 3.

Summary: Python: heap overflow in zipimporter module => Python: heap overflow in zipimporter module (CVE-2016-5636)
Whiteboard: (none) => feedback

Comment 11 David Walser 2016-06-17 01:24:46 CEST
(In reply to David Walser from comment #3)
> HTTP header injection in urrlib2/urllib/httplib/http.client:
> http://openwall.com/lists/oss-security/2016/06/15/12

CVE-2016-5699 has been assigned:
http://openwall.com/lists/oss-security/2016/06/16/2
David Walser 2016-06-17 01:25:49 CEST

CC: (none) => qa-bugs
Assignee: qa-bugs => makowski.mageia
Summary: Python: heap overflow in zipimporter module (CVE-2016-5636) => python/python3 new security issues CVE-2016-0772, CVE-2016-5636, CVE-2016-5699
Whiteboard: feedback => (none)

Comment 12 Philippe Makowski 2016-06-19 15:45:49 CEST
(In reply to David Walser from comment #3)
> More security issues have been posted to oss-security, you might want to
> have a look at those first.
> 
> HTTP header injection in urrlib2/urllib/httplib/http.client:
> http://openwall.com/lists/oss-security/2016/06/15/12
> 
this one is already fixed in Cauldron for 2.7 and 3.5, the patch is committed upstream since Thu, 12 Mar 2015
Comment 13 David Walser 2016-06-19 15:51:15 CEST
IIRC I checked and the patch wasn't in 2.7.11 so was at least needed in mga5.
Comment 14 Philippe Makowski 2016-06-20 11:04:58 CEST
(In reply to David Walser from comment #13)
> IIRC I checked and the patch wasn't in 2.7.11 so was at least needed in mga5.

you mean 2.7.9 I guess
so yes, it's needed for mga5
Comment 15 Philippe Makowski 2016-06-20 11:18:42 CEST
Updated packages uploaded for Mageia 5 and Cauldron

Fixes have tests added in the upstream test suite that we run at each build.


Advisory:
========================

Updated python and python3 packages fixes security vulnerability:

- Heap overflow in zipimporter module.
In zipimport module,
if compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1,
then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap,
but after that in fread, it overflows heap.

- HTTP header injection in urrlib2/urllib/httplib/http.client

- smtplib StartTLS stripping attack 


References:

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699
- http://openwall.com/lists/oss-security/2016/06/16/1
- http://openwall.com/lists/oss-security/2016/06/16/2
- http://openwall.com/lists/oss-security/2016/06/14/9
- https://bugs.python.org/issue26171
- https://bugs.python.org/issue5124
- https://bugs.python.org/issue22928

Updated packages in core/updates_testing:
========================
lib64python3.4-3.4.3-1.3.mga5
tkinter3-3.4.3-1.3.mga5
tkinter3-apps-3.4.3-1.3.mga5
lib64python3-devel-3.4.3-1.3.mga5
libpython3-devel-3.4.3-1.3.mga5
python3-3.4.3-1.3.mga5
tkinter3-3.4.3-1.3.mga5
tkinter3-apps-3.4.3-1.3.mga5
python3-docs-3.4.3-1.3.mga5.noarch
python3-3.4.3-1.3.mga5
libpython3.4-3.4.3-1.3.mga5

python-2.7.9-2.2.mga5
libpython2.7-2.7.9-2.2.mga5
python-docs-2.7.9-2.2.mga5.noarch
tkinter-2.7.9-2.2.mga5
tkinter-apps-2.7.9-2.2.mga5
lib64python-devel-2.7.9-2.2.mga5
python-2.7.9-2.2.mga5
lib64python2.7-2.7.9-2.2.mga5
tkinter-2.7.9-2.2.mga5
libpython-devel-2.7.9-2.2.mga5
tkinter-apps-2.7.9-2.2.mga5

from python3-3.4.3-1.3.mga5.src and python-2.7.9-2.2.mga5.src
Philippe Makowski 2016-06-20 11:20:11 CEST

Assignee: makowski.mageia => qa-bugs

Comment 16 David Walser 2016-06-20 15:43:40 CEST
I guess we can simplify the advisory text to:

- Heap overflow in zipimporter module (CVE-2016-5636).

- HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).

- smtplib StartTLS stripping attack (CVE-2016-0772).
Comment 17 Lewis Smith 2016-06-20 20:15:17 CEST
Trying M5 x64 with the give PoC Comment 5.
After updates as per Comment 15.

 lib64python2.7-2.7.9-2.2.mga5
 python-2.7.9-2.2.mga5
 tkinter-2.7.9-2.2.mga5
$ python crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
IOError: zipimport: can't read data
Segmentation fault

 lib64python3.4-3.4.3-1.3.mga5
 python3-3.4.3-1.3.mga5
 tkinter3-3.4.3-1.3.mga5
$ python3 crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
OSError: zipimport: can't read data

Once again, no change from the pre-update situation Comment 6 using the given test script. Could that be a false lead?
Comment 18 Philippe Makowski 2016-06-21 09:18:17 CEST
(In reply to Lewis Smith from comment #17)
> Once again, no change from the pre-update situation Comment 6 using the
> given test script. Could that be a false lead?

The patches identified in comment #2 and upstream tracker are not complete and do not prevent the attached "crash.py" reproducer.  These do:

Upstream patches:

https://hg.python.org/cpython/rev/2edbdb79cd6d (2.7)
https://hg.python.org/cpython/rev/8b58c9328f5c (3.4)
https://hg.python.org/cpython/rev/5533a9e02b21 (3.5)
https://hg.python.org/cpython/rev/0f46c9a5735f (default)

So, I need to make a new release

Assignee: qa-bugs => makowski.mageia

Comment 19 Philippe Makowski 2016-06-21 16:27:03 CEST
(In reply to Philippe Makowski from comment #18)
> (In reply to Lewis Smith from comment #17)
> > Once again, no change from the pre-update situation Comment 6 using the
> > given test script. Could that be a false lead?
> 
> The patches identified in comment #2 and upstream tracker are not complete
> and do not prevent the attached "crash.py" reproducer.  These do:
> 
> Upstream patches:
> 
> https://hg.python.org/cpython/rev/2edbdb79cd6d (2.7)
> https://hg.python.org/cpython/rev/8b58c9328f5c (3.4)
> https://hg.python.org/cpython/rev/5533a9e02b21 (3.5)
> https://hg.python.org/cpython/rev/0f46c9a5735f (default)
> 
> So, I need to make a new release

Note : when the new version will be there, the correct output will be :
$ python crash.py 
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
zipimport.ZipImportError: negative data size
$
Comment 20 Philippe Makowski 2016-06-21 22:47:49 CEST
Updated packages uploaded for Mageia 5 and Cauldron

Fixes have tests added in the upstream test suite that we run at each build.


Advisory:
========================

Updated python and python3 packages fixes security vulnerability:

- Heap overflow in zipimporter module (CVE-2016-5636).
- HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).
- smtplib StartTLS stripping attack (CVE-2016-0772).

References:

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699
- http://openwall.com/lists/oss-security/2016/06/16/1
- http://openwall.com/lists/oss-security/2016/06/16/2
- http://openwall.com/lists/oss-security/2016/06/14/9
- https://bugs.python.org/issue26171
- https://bugs.python.org/issue5124
- https://bugs.python.org/issue22928

Updated packages in core/updates_testing:
========================
lib64python3.4-3.4.3-1.4.mga5
tkinter3-3.4.3-1.4.mga5
tkinter3-apps-3.4.3-1.4.mga5
lib64python3-devel-3.4.3-1.4.mga5
libpython3-devel-3.4.3-1.4.mga5
python3-3.4.3-1.4.mga5
tkinter3-3.4.3-1.4.mga5
tkinter3-apps-3.4.3-1.4.mga5
python3-docs-3.4.3-1.4.mga5.noarch
python3-3.4.3-1.4.mga5
libpython3.4-3.4.3-1.4.mga5

python-2.7.9-2.3.mga5
libpython2.7-2.7.9-2.3.mga5
python-docs-2.7.9-2.3.mga5.noarch
tkinter-2.7.9-2.3.mga5
tkinter-apps-2.7.9-2.3.mga5
lib64python-devel-2.7.9-2.3.mga5
python-2.7.9-2.3.mga5
lib64python2.7-2.7.9-2.3.mga5
tkinter-2.7.9-2.3.mga5
libpython-devel-2.7.9-2.3.mga5
tkinter-apps-2.7.9-2.3.mga5

from python3-3.4.3-1.4.mga5.src and python-2.7.9-2.3.mga5.src

Assignee: makowski.mageia => qa-bugs

Comment 21 Herman Viaene 2016-06-22 11:02:38 CEST
MGA5-32 on AcerD620 Xfce
No installation issues
Run test as described above:
$ python crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
zipimport.ZipImportError: negative data size
and
$ python3 crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
zipimport.ZipImportError: negative data size
Acoording to Comment 19 this is the correct behavior.

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 22 claire robinson 2016-06-22 16:38:28 CEST
Well done guys. Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 23 Mageia Robot 2016-06-22 18:37:23 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0230.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-06-22 19:34:12 CEST

URL: https://bugs.python.org/issue26171 => http://lwn.net/Vulnerabilities/692378/


Note You need to log in before you can comment on or make changes to this bug.