In zipimport module, if compress != 0, then bytes_size = data_size + 1 data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0. In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap. A CVE have to be assigned for a security issue fixed upstream in python and python3 http://openwall.com/lists/oss-security/2016/06/11/2
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Updated packages uploaded for Mageia 5 and Cauldron https://bugs.python.org/issue26171 have a link to https://bugs.python.org/file41677/crash.py to test the issue. Advisory: ======================== Updated python and python3 packages fixes security vulnerability: Heap overflow in zipimporter module. In zipimport module, if compress != 0, then bytes_size = data_size + 1 data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0. In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap. References: - http://openwall.com/lists/oss-security/2016/06/11/2 - https://bugs.python.org/issue26171 Updated packages in core/updates_testing: ======================== lib64python3.4-3.4.3-1.2.mga5 tkinter3-3.4.3-1.2.mga5 tkinter3-apps-3.4.3-1.2.mga5 lib64python3-devel-3.4.3-1.2.mga5 libpython3-devel-3.4.3-1.2.mga5 python3-3.4.3-1.2.mga5 tkinter3-3.4.3-1.2.mga5 tkinter3-apps-3.4.3-1.2.mga5 python3-docs-3.4.3-1.2.mga5.noarch python3-3.4.3-1.2.mga5 libpython3.4-3.4.3-1.2.mga5 python-2.7.9-2.1.mga5 libpython2.7-2.7.9-2.1.mga5 python-docs-2.7.9-2.1.mga5.noarch tkinter-2.7.9-2.1.mga5 tkinter-apps-2.7.9-2.1.mga5 lib64python-devel-2.7.9-2.1.mga5 python-2.7.9-2.1.mga5 lib64python2.7-2.7.9-2.1.mga5 tkinter-2.7.9-2.1.mga5 libpython-devel-2.7.9-2.1.mga5 tkinter-apps-2.7.9-2.1.mga5 from python3-3.4.3-1.2.mga5.src and python-2.7.9-2.1.mga5.src
Assignee: pkg-bugs => qa-bugs
More security issues have been posted to oss-security, you might want to have a look at those first. HTTP header injection in urrlib2/urllib/httplib/http.client: http://openwall.com/lists/oss-security/2016/06/15/12 CVE-2016-0772: smtplib StartTLS stripping attack: http://openwall.com/lists/oss-security/2016/06/14/9
Summary: heap overflow in zipimporter module => Python: heap overflow in zipimporter module
CVE request for the original issue has been re-sent: http://openwall.com/lists/oss-security/2016/06/15/15
CC: (none) => luigiwalser
Created attachment 8000 [details] Test script from Comment 2 From https://bugs.python.org/file41677/crash.py Script to test the reported bug.
CC: (none) => lewyssmith
Trying M5 x64 BEFORE the update: $ python crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) IOError: zipimport: can't read data Segmentation fault $ python3 crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) OSError: zipimport: can't read data AFTER the update: python-2.7.9-2.1.mga5 lib64python2.7-2.7.9-2.1.mga5 tkinter-2.7.9-2.1.mga5 $ python crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) IOError: zipimport: can't read data Segmentation fault python3-3.4.3-1.2.mga5 lib64python3.4-3.4.3-1.2.mga5 tkinter3-3.4.3-1.2.mga5 $ python3 crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) OSError: zipimport: can't read data Same behaviour. I wonder whether you are supposed to give the test script a zip file? It cites 2 files: FILE = 'payload' ZIP = 'import.zip' both of which the script creates.
Just experimenting to see if I can help. No, as far as I can make out, the script writes the payload data to a file (length 1008 bytes) and then compresses the payload (read back from disk?) and writes it to disk as a zipped file. In the second stage it appears to read the file import.zip and try to unzip it. Not at all sure what is going on there. Tried to sidestep the fault by using a real file length (f[2] = 1008) but it still failed: $ python crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) zlib.error: Error -3 while decompressing data: invalid stored block lengths This is before any update. Leaving that to you but keeping an eye on developments.
CC: (none) => tarazed25
Weirdness. The zipped file does not look as if it has been compressed at all. $ ls -l import.zip -rw-r--r-- 1 lcl lcl 1120 Jun 16 11:24 import.zip [lcl@belexeuli ~/Downloads]$ od -a import.zip 0000000 P K etx eot dc4 nul nul nul nul nul nul [ P H - ~ 0000020 9 ff p etx nul nul p etx nul nul bel nul nul nul p a 0000040 y l o a d A A A A A A A A A A A 0000060 A A A A A A A A A A A A A A A A * 0002020 A nul nul nul nul P K soh stx dc4 etx dc4 nul nul nul nul 0002040 nul nul [ P H - ~ 9 ff p etx nul nul p etx nul 0002060 nul bel nul nul nul nul nul nul nul nul nul nul nul $ soh nul 0002100 nul nul nul p a y l o a d P K enq ack nul nul 0002120 nul nul soh nul soh nul 5 nul nul nul nak eot nul nul nul nul 0002140 It is bigger than the payload and contains all of the payload data in ASCII format. This is with the original PoC script.
(In reply to David Walser from comment #3) > HTTP header injection in urrlib2/urllib/httplib/http.client: > http://openwall.com/lists/oss-security/2016/06/15/12 More details: http://www.openwall.com/lists/oss-security/2016/06/15/17
(In reply to David Walser from comment #4) > CVE request for the original issue has been re-sent: > http://openwall.com/lists/oss-security/2016/06/15/15 CVE-2016-5636 has been assigned: http://openwall.com/lists/oss-security/2016/06/16/1 feedback tag added so Philippe can address the other issues in Comment 3.
Summary: Python: heap overflow in zipimporter module => Python: heap overflow in zipimporter module (CVE-2016-5636)Whiteboard: (none) => feedback
(In reply to David Walser from comment #3) > HTTP header injection in urrlib2/urllib/httplib/http.client: > http://openwall.com/lists/oss-security/2016/06/15/12 CVE-2016-5699 has been assigned: http://openwall.com/lists/oss-security/2016/06/16/2
CC: (none) => qa-bugsAssignee: qa-bugs => makowski.mageiaSummary: Python: heap overflow in zipimporter module (CVE-2016-5636) => python/python3 new security issues CVE-2016-0772, CVE-2016-5636, CVE-2016-5699Whiteboard: feedback => (none)
(In reply to David Walser from comment #3) > More security issues have been posted to oss-security, you might want to > have a look at those first. > > HTTP header injection in urrlib2/urllib/httplib/http.client: > http://openwall.com/lists/oss-security/2016/06/15/12 > this one is already fixed in Cauldron for 2.7 and 3.5, the patch is committed upstream since Thu, 12 Mar 2015
IIRC I checked and the patch wasn't in 2.7.11 so was at least needed in mga5.
(In reply to David Walser from comment #13) > IIRC I checked and the patch wasn't in 2.7.11 so was at least needed in mga5. you mean 2.7.9 I guess so yes, it's needed for mga5
Updated packages uploaded for Mageia 5 and Cauldron Fixes have tests added in the upstream test suite that we run at each build. Advisory: ======================== Updated python and python3 packages fixes security vulnerability: - Heap overflow in zipimporter module. In zipimport module, if compress != 0, then bytes_size = data_size + 1 data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0. In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap. - HTTP header injection in urrlib2/urllib/httplib/http.client - smtplib StartTLS stripping attack References: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699 - http://openwall.com/lists/oss-security/2016/06/16/1 - http://openwall.com/lists/oss-security/2016/06/16/2 - http://openwall.com/lists/oss-security/2016/06/14/9 - https://bugs.python.org/issue26171 - https://bugs.python.org/issue5124 - https://bugs.python.org/issue22928 Updated packages in core/updates_testing: ======================== lib64python3.4-3.4.3-1.3.mga5 tkinter3-3.4.3-1.3.mga5 tkinter3-apps-3.4.3-1.3.mga5 lib64python3-devel-3.4.3-1.3.mga5 libpython3-devel-3.4.3-1.3.mga5 python3-3.4.3-1.3.mga5 tkinter3-3.4.3-1.3.mga5 tkinter3-apps-3.4.3-1.3.mga5 python3-docs-3.4.3-1.3.mga5.noarch python3-3.4.3-1.3.mga5 libpython3.4-3.4.3-1.3.mga5 python-2.7.9-2.2.mga5 libpython2.7-2.7.9-2.2.mga5 python-docs-2.7.9-2.2.mga5.noarch tkinter-2.7.9-2.2.mga5 tkinter-apps-2.7.9-2.2.mga5 lib64python-devel-2.7.9-2.2.mga5 python-2.7.9-2.2.mga5 lib64python2.7-2.7.9-2.2.mga5 tkinter-2.7.9-2.2.mga5 libpython-devel-2.7.9-2.2.mga5 tkinter-apps-2.7.9-2.2.mga5 from python3-3.4.3-1.3.mga5.src and python-2.7.9-2.2.mga5.src
Assignee: makowski.mageia => qa-bugs
I guess we can simplify the advisory text to: - Heap overflow in zipimporter module (CVE-2016-5636). - HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699). - smtplib StartTLS stripping attack (CVE-2016-0772).
Trying M5 x64 with the give PoC Comment 5. After updates as per Comment 15. lib64python2.7-2.7.9-2.2.mga5 python-2.7.9-2.2.mga5 tkinter-2.7.9-2.2.mga5 $ python crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) IOError: zipimport: can't read data Segmentation fault lib64python3.4-3.4.3-1.3.mga5 python3-3.4.3-1.3.mga5 tkinter3-3.4.3-1.3.mga5 $ python3 crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) OSError: zipimport: can't read data Once again, no change from the pre-update situation Comment 6 using the given test script. Could that be a false lead?
(In reply to Lewis Smith from comment #17) > Once again, no change from the pre-update situation Comment 6 using the > given test script. Could that be a false lead? The patches identified in comment #2 and upstream tracker are not complete and do not prevent the attached "crash.py" reproducer. These do: Upstream patches: https://hg.python.org/cpython/rev/2edbdb79cd6d (2.7) https://hg.python.org/cpython/rev/8b58c9328f5c (3.4) https://hg.python.org/cpython/rev/5533a9e02b21 (3.5) https://hg.python.org/cpython/rev/0f46c9a5735f (default) So, I need to make a new release
Assignee: qa-bugs => makowski.mageia
(In reply to Philippe Makowski from comment #18) > (In reply to Lewis Smith from comment #17) > > Once again, no change from the pre-update situation Comment 6 using the > > given test script. Could that be a false lead? > > The patches identified in comment #2 and upstream tracker are not complete > and do not prevent the attached "crash.py" reproducer. These do: > > Upstream patches: > > https://hg.python.org/cpython/rev/2edbdb79cd6d (2.7) > https://hg.python.org/cpython/rev/8b58c9328f5c (3.4) > https://hg.python.org/cpython/rev/5533a9e02b21 (3.5) > https://hg.python.org/cpython/rev/0f46c9a5735f (default) > > So, I need to make a new release Note : when the new version will be there, the correct output will be : $ python crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) zipimport.ZipImportError: negative data size $
Updated packages uploaded for Mageia 5 and Cauldron Fixes have tests added in the upstream test suite that we run at each build. Advisory: ======================== Updated python and python3 packages fixes security vulnerability: - Heap overflow in zipimporter module (CVE-2016-5636). - HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699). - smtplib StartTLS stripping attack (CVE-2016-0772). References: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699 - http://openwall.com/lists/oss-security/2016/06/16/1 - http://openwall.com/lists/oss-security/2016/06/16/2 - http://openwall.com/lists/oss-security/2016/06/14/9 - https://bugs.python.org/issue26171 - https://bugs.python.org/issue5124 - https://bugs.python.org/issue22928 Updated packages in core/updates_testing: ======================== lib64python3.4-3.4.3-1.4.mga5 tkinter3-3.4.3-1.4.mga5 tkinter3-apps-3.4.3-1.4.mga5 lib64python3-devel-3.4.3-1.4.mga5 libpython3-devel-3.4.3-1.4.mga5 python3-3.4.3-1.4.mga5 tkinter3-3.4.3-1.4.mga5 tkinter3-apps-3.4.3-1.4.mga5 python3-docs-3.4.3-1.4.mga5.noarch python3-3.4.3-1.4.mga5 libpython3.4-3.4.3-1.4.mga5 python-2.7.9-2.3.mga5 libpython2.7-2.7.9-2.3.mga5 python-docs-2.7.9-2.3.mga5.noarch tkinter-2.7.9-2.3.mga5 tkinter-apps-2.7.9-2.3.mga5 lib64python-devel-2.7.9-2.3.mga5 python-2.7.9-2.3.mga5 lib64python2.7-2.7.9-2.3.mga5 tkinter-2.7.9-2.3.mga5 libpython-devel-2.7.9-2.3.mga5 tkinter-apps-2.7.9-2.3.mga5 from python3-3.4.3-1.4.mga5.src and python-2.7.9-2.3.mga5.src
MGA5-32 on AcerD620 Xfce No installation issues Run test as described above: $ python crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) zipimport.ZipImportError: negative data size and $ python3 crash.py Traceback (most recent call last): File "crash.py", line 25, in <module> print(importer.get_data(FILE)) zipimport.ZipImportError: negative data size Acoording to Comment 19 this is the correct behavior.
CC: (none) => herman.viaeneWhiteboard: (none) => has_procedure MGA5-32-OK
Well done guys. Validating. Advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0230.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: https://bugs.python.org/issue26171 => http://lwn.net/Vulnerabilities/692378/