Debian Bug report logs - #416934
python2.5: off-by-one bug in strxfrm() (causes information leak)

version graph

Package: python2.5; Maintainer for python2.5 is (unknown);

Reported by: "Piotr Engelking" <inkerman42@gmail.com>

Date: Sat, 31 Mar 2007 15:03:02 UTC

Severity: important

Tags: patch, security

Found in version python2.5/2.5-5

Fixed in version 2.5.1-1

Done: Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#416931; Package python2.4. (full text, mbox, link).

Acknowledgement sent to "Piotr Engelking" <inkerman42@gmail.com>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Piotr Engelking" <inkerman42@gmail.com>
To: "Debian BTS" <submit@bugs.debian.org>
Subject: python2.4: off-by-one bug in strxfrm() (causes information leak)
Date: Sat, 31 Mar 2007 16:54:37 +0200
[Message part 1 (text/plain, inline)]
Package: python2.4
Version: 2.4.4-2
Severity: important
Tags: security patch

In Modules/_localemodule.c, PyLocale_strxfrm() miscalculates the length of
the strxfrm() destination buffer, which causes the function to return a
wrong string, and to read past the destination buffer, which may (and does)
result in an information leak. The bug is also present in python2.5.

The attached patch fixes this problem.


-- System Information:
Debian Release: 4.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=pl_PL.UTF8 (charmap=UTF-8)

Versions of packages python2.4 depends on:
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdb4.4                    4.4.20-8     Berkeley v4.4 Database Libraries [
ii  libncursesw5                5.5-5        Shared libraries for terminal hand
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries
ii  mime-support                3.39-1       MIME files 'mime.types' & 'mailcap
ii  python2.4-minimal           2.4.4-2      A minimal subset of the Python lan

python2.4 recommends no packages.

-- no debconf information

[strxfrm-leak.patch (text/x-patch, attachment)]

Bug 416931 cloned as bug 416934. Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:05 GMT) (full text, mbox, link).

Bug reassigned from package `python2.4' to `python2.5'. Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:08 GMT) (full text, mbox, link).

Changed Bug title to python2.5: off-by-one bug in strxfrm() (causes information leak) from python2.4: off-by-one bug in strxfrm() (causes information leak). Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:10 GMT) (full text, mbox, link).

Bug marked as found in version 2.5-5. Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 17:27:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#416934; Package python2.5. (full text, mbox, link).

Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #18 received at 416934@bugs.debian.org (full text, mbox, reply):

From: Lubomir Kundrak <lkundrak@redhat.com>
To: 416934@bugs.debian.org
Cc: Piotr Engelking <inkerman42@gmail.com>
Subject: Off-by-one in python's locale.strxfrm()
Date: Mon, 02 Apr 2007 16:17:12 +0200
Piotr: Could you please provide a reproducer, or a string/locale couple
that triggered th bug for you?

In my system, when n1 returned by strxfrm() was equal to n2, the string
was terminated with \0, only that it was truncated (so a subsequent
attempt to read it did not lead to an out-of-bound read). Though the
manual states that the behavior is undefined. I did not try it in
Debian, but I can't really imagine why would Debian's glibc behave
differently from Fedora's one.

Btw. I can't imagine a real-world situation where would this lead to an
information disclosure. The return value of strxfrm() is never meant to
be displayed to the user.

-- 
Lubomir Kundrak (Red Hat Security Response Team)

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#416934; Package python2.5. (full text, mbox, link).

Acknowledgement sent to "Piotr Engelking" <inkerman42@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #23 received at 416934@bugs.debian.org (full text, mbox, reply):

From: "Piotr Engelking" <inkerman42@gmail.com>
To: 416934@bugs.debian.org
Subject: Re: Off-by-one in python's locale.strxfrm()
Date: Mon, 2 Apr 2007 21:40:36 +0200
Lubomir Kundrak <lkundrak@redhat.com> wrote:
> Piotr: Could you please provide a reproducer, or a string/locale couple
> that triggered th bug for you?

Ok, sorry for being so terse in the original report:

$ cat foo
#!/usr/bin/python

import locale

print locale.setlocale(locale.LC_COLLATE, 'pl_PL.UTF8')
print repr(locale.strxfrm('a'))
$ ./foo
pl_PL.UTF8
'\x0c\x01\x08\x01\x02\x01\x18\x08\x10'
$

Here, '\x0c\x01\x08\x01\x02\x01' comes from glibc's strxfrm(), and the
rest of the string is the contents of the memory immediately after the
destination buffer. (It is also possible to get identifiable parts of
the strings processed by the program before the strxfrm() call but I
don't have a reproducible test case for that.)

> Btw. I can't imagine a real-world situation where would this lead to an
> information disclosure. The return value of strxfrm() is never meant to
> be displayed to the user.

Real-world case, and how I have found the bug in the first place: a
webapp that allows an user to upload some strings to the server, and
other users to view them and sort them in various ways. Since
Javascript doesn't have support for locale-aware string comparison,
each string carries a sorting key, which is the return value of
strxfrm(), and which is visible in the page source.

Reply sent to Matthias Klose <doko@cs.tu-berlin.de>:
You have taken responsibility. (full text, mbox, link).

Notification sent to "Piotr Engelking" <inkerman42@gmail.com>:
Bug acknowledged by developer. (full text, mbox, link).

Message #28 received at 416934-done@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: 416934-done@bugs.debian.org
Subject: Re: off-by-one bug in strxfrm() (causes information leak)
Date: Fri, 4 May 2007 08:15:17 +0200
Version: 2.5.1-1

Fixed in 2.5.1-1

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Jul 2007 07:41:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 15 19:42:48 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.