Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Fri, 09 Mar 2012 09:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ralf Schmitt <ralf@systemexit.de>:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Fri, 09 Mar 2012 09:15:14 GMT) (full text, mbox, link).
Package: python-pyfribidi
Architecture: i386
Source: pyfribidi
Version: 0.10.0-2
There's a buffer overflow in pyfribidi:
# python2.6 -c 'import pyfribidi; pyfribidi.log2vis(unichr(0x10000)*5)'
Segmentation fault
The reason is the following (see
https://github.com/pediapress/pyfribidi/issues/2):
fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode
character, i.e. it does not handle unicode character above 0xffff. For a
4 byte utf-8 sequence it will generate 2 unicode characters, which
overflows the logical buffer.
It's fixed with
https://github.com/pediapress/pyfribidi/commit/d2860c655357975e7b32d84e6b45e98f0dcecd7a
(or with pyfribidi 0.11 from pypi)
IMHO the issue is security relevant.
--
Cheers
Ralf
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Fri, 09 Mar 2012 11:30:03 GMT) (full text, mbox, link).
To: Ralf Schmitt <ralf@systemexit.de>, 663189@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#663189: buffer overflow in python-pyfribidi
Date: Fri, 9 Mar 2012 12:26:27 +0100
severity 663189 grave
tags 663189 + confirmed security
thanks
* Ralf Schmitt <ralf@systemexit.de>, 2012-03-09, 10:11:
># python2.6 -c 'import pyfribidi; pyfribidi.log2vis(unichr(0x10000)*5)'
>Segmentation fault
>
>The reason is the following (see
>https://github.com/pediapress/pyfribidi/issues/2):
>
>fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode
>character, i.e. it does not handle unicode character above 0xffff.
As far as I can see this is not true. In Debian, we allocate 4 bytes per
characters. (An upstream version, which the Debian package is based on,
is completely broken in this respect: it allocates a buffer of static
size. See bug #570068)
>For a 4 byte utf-8 sequence it will generate 2 unicode characters,
>which overflows the logical buffer.
I'm confused. What is "it" in your sentence? Why 2 Unicode characters?
Anyway I tried to double the buffer size (8 bytes per characters of
original string) but this didn't fix the crash. So likely the problem
lies somewhere else.
--
Jakub Wilk
Severity set to 'grave' from 'normal'
Request was from Jakub Wilk <jwilk@debian.org>
to control@bugs.debian.org.
(Fri, 09 Mar 2012 11:30:06 GMT) (full text, mbox, link).
Added tag(s) confirmed and security.
Request was from Jakub Wilk <jwilk@debian.org>
to control@bugs.debian.org.
(Fri, 09 Mar 2012 11:30:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Fri, 09 Mar 2012 11:51:41 GMT) (full text, mbox, link).
Acknowledgement sent
to Ralf Schmitt <ralf@systemexit.de>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Fri, 09 Mar 2012 11:51:48 GMT) (full text, mbox, link).
Subject: Re: Bug#663189: buffer overflow in python-pyfribidi
Date: Fri, 09 Mar 2012 12:49:11 +0100
Jakub Wilk <jwilk@debian.org> writes:
>>The reason is the following (see
>>https://github.com/pediapress/pyfribidi/issues/2):
>>
>> fribidi_utf8_to_unicode consumes at most 3 bytes for a single
>> unicode character, i.e. it does not handle unicode character above
>> 0xffff.
>
> As far as I can see this is not true. In Debian, we allocate 4 bytes
> per characters. (An upstream version, which the Debian package is
> based on, is completely broken in this respect: it allocates a buffer
> of static size. See bug #570068)
upstream is pretty much dead in this case. I've published our version on
PyPI. However, I didn't ask or inform the original authors about that.
>
>> For a 4 byte utf-8 sequence it will generate 2 unicode characters,
>> which overflows the logical buffer.
>
> I'm confused. What is "it" in your sentence? Why 2 Unicode characters?
"it" refers to the 4 byte utf-8 sequence.
here's the inner loop of "fribidi_utf8_to_unicode" from
fribidi-char-sets-utf8.c:
,----
| length = 0;
| while ((FriBidiStrIndex) (s - t) < len)
| {
| register unsigned char ch = *s;
| if (ch <= 0x7f) /* one byte */
| {
| *us++ = *s++;
| }
| else if (ch <= 0xdf) /* 2 byte */
| {
| *us++ = ((*s & 0x1f) << 6) + (*(s + 1) & 0x3f);
| s += 2;
| }
| else /* 3 byte */
| {
| *us++ =
| ((int) (*s & 0x0f) << 12) +
| ((*(s + 1) & 0x3f) << 6) + (*(s + 2) & 0x3f);
| s += 3;
| }
| length++;
| }
`----
Assume you have a 4-byte utf-8 sequence. One loop step consumes a maximum of
3 bytes of that 4-byte sequence (there's no "4 byte" case), leaving
1-byte of that sequence for further processing. this 1 byte will
generate another unicode character. pyfribidi uses the length of the
python unicode string as buffer size, which is less than what the
fribidi_utf8_to_unicode generates. and there you have your buffer
overflow.
to confirm the issue, you can add an assert and check that
fribidi_utf8_to_unicode's return value (the length of the string) equals
unicode_length.
>
> Anyway I tried to double the buffer size (8 bytes per characters of
> original string) but this didn't fix the crash. So likely the problem
> lies somewhere else.
I'm pretty sure my analysis is correct and I'm not so quite sure what
you did here.
--
Cheers
Ralf
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Fri, 09 Mar 2012 11:52:00 GMT) (full text, mbox, link).
To: Ralf Schmitt <ralf@systemexit.de>, 663189@bugs.debian.org
Subject: Re: Bug#663189: buffer overflow in python-pyfribidi
Date: Fri, 9 Mar 2012 13:23:29 +0100
* Ralf Schmitt <ralf@systemexit.de>, 2012-03-09, 12:49:
>>>fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode
>>>character, i.e. it does not handle unicode character above 0xffff.
Now I woke up I finally understand what you meant here. :) Sorry for the
noise.
>here's the inner loop of "fribidi_utf8_to_unicode" from
>fribidi-char-sets-utf8.c:
>
>,----
>| length = 0;
>| while ((FriBidiStrIndex) (s - t) < len)
>| {
>| register unsigned char ch = *s;
>| if (ch <= 0x7f) /* one byte */
>| {
>| *us++ = *s++;
>| }
>| else if (ch <= 0xdf) /* 2 byte */
>| {
>| *us++ = ((*s & 0x1f) << 6) + (*(s + 1) & 0x3f);
>| s += 2;
>| }
>| else /* 3 byte */
>| {
>| *us++ =
>| ((int) (*s & 0x0f) << 12) +
>| ((*(s + 1) & 0x3f) << 6) + (*(s + 2) & 0x3f);
>| s += 3;
>| }
>| length++;
>| }
>`----
Ugh. That's so broken...
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Sat, 10 Mar 2012 09:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to أحمد المحمودي <aelmahmoudy@sabily.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sat, 10 Mar 2012 09:33:07 GMT) (full text, mbox, link).
On Fri, Mar 09, 2012 at 12:49:11PM +0100, Ralf Schmitt wrote:
> upstream is pretty much dead in this case. I've published our version on
> PyPI. However, I didn't ask or inform the original authors about that.
---end quoted text---
Why do you include a convenience copy of fribidi source code in your
pyfribidi distribution ?
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
GPG KeyID: 0xEDDDA1B7
GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Sat, 10 Mar 2012 09:33:12 GMT) (full text, mbox, link).
Acknowledgement sent
to أحمد المحمودي <aelmahmoudy@sabily.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sat, 10 Mar 2012 09:33:13 GMT) (full text, mbox, link).
On Fri, Mar 09, 2012 at 12:49:16PM +0100, Jakub Wilk wrote:
> Right, 0.11 on pypi looks much saner than the current one. Thanks.
---end quoted text---
The package is ready at:
http://mentors.debian.net/debian/pool/main/p/pyfribidi/pyfribidi_0.11.0-1.dsc
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
GPG KeyID: 0xEDDDA1B7
GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Sat, 10 Mar 2012 10:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ralf Schmitt <ralf@systemexit.de>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sat, 10 Mar 2012 10:30:05 GMT) (full text, mbox, link).
Subject: Re: Bug#663189: buffer overflow in python-pyfribidi
Date: Sat, 10 Mar 2012 11:27:37 +0100
أحمد المحمودي <aelmahmoudy@sabily.org> writes:
>
> Why do you include a convenience copy of fribidi source code in your
> pyfribidi distribution ?
just so that I can tell people to "pip install pyfribidi" intead of
telling them to install the frididi headers first. This can easily be
disabled by setting USE_SYSTEM_LIB, like in "USE_SYSTEM_LIB=1 pip
install pyfribidi".
--
Cheers
Ralf
Reply sent
to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@sabily.org>:
You have taken responsibility.
(Wed, 14 Mar 2012 22:21:17 GMT) (full text, mbox, link).
Notification sent
to Ralf Schmitt <ralf@systemexit.de>:
Bug acknowledged by developer.
(Wed, 14 Mar 2012 22:21:17 GMT) (full text, mbox, link).
From: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@sabily.org>
To: 663189-close@bugs.debian.org
Subject: Bug#663189: fixed in pyfribidi 0.11.0-1
Date: Wed, 14 Mar 2012 22:19:39 +0000
Source: pyfribidi
Source-Version: 0.11.0-1
We believe that the bug you reported is fixed in the latest version of
pyfribidi, which is due to be installed in the Debian FTP archive:
pyfribidi_0.11.0-1.debian.tar.gz
to main/p/pyfribidi/pyfribidi_0.11.0-1.debian.tar.gz
pyfribidi_0.11.0-1.dsc
to main/p/pyfribidi/pyfribidi_0.11.0-1.dsc
pyfribidi_0.11.0.orig.tar.bz2
to main/p/pyfribidi/pyfribidi_0.11.0.orig.tar.bz2
python-pyfribidi-dbg_0.11.0-1_amd64.deb
to main/p/pyfribidi/python-pyfribidi-dbg_0.11.0-1_amd64.deb
python-pyfribidi_0.11.0-1_amd64.deb
to main/p/pyfribidi/python-pyfribidi_0.11.0-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 663189@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@sabily.org> (supplier of updated pyfribidi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Mar 2012 10:43:02 +0200
Source: pyfribidi
Binary: python-pyfribidi python-pyfribidi-dbg
Architecture: source amd64
Version: 0.11.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@sabily.org>
Description:
python-pyfribidi - FriBidi Python bindings
python-pyfribidi-dbg - FriBidi Python bindings (debug symbols)
Closes: 663189
Changes:
pyfribidi (0.11.0-1) unstable; urgency=low
.
[ أحمد المحمودي (Ahmed El-Mahmoudy) ]
* New upstream release. (Closes: #663189)
* debian/control: Updated Standards-Version to 3.9.3
* Bumped compat level to 9.
* Removed all patches as they are no longer needed.
* debian/watch: Added pypi URL.
* Removed debian/source.lintian-overrides
* Updated debian/python-pyfribidi.install
.
[ Piotr Ożarowski ]
* DM-Upload-Allowed set to yes
Checksums-Sha1:
5c4c6a7dd216d002fa3a3ddbda378ad2a566f282 2285 pyfribidi_0.11.0-1.dsc
cc9bb369dc56abd91d383d4624bba4b8860b6c16 555875 pyfribidi_0.11.0.orig.tar.bz2
9567e628227d0774b554b137dbdd87e320de195a 4037 pyfribidi_0.11.0-1.debian.tar.gz
81a0d7e7e7fe8de7ff7c1ffd327e02a09fdf7b09 55350 python-pyfribidi_0.11.0-1_amd64.deb
c070de6d54fc70861756001895db246d58b54420 180504 python-pyfribidi-dbg_0.11.0-1_amd64.deb
Checksums-Sha256:
b17ef6af426c152c0dac333e5f56c50ca0df4f0bd9d2aa688d1454fadb38f6cf 2285 pyfribidi_0.11.0-1.dsc
cfd0acea3afb85b5f5d7080ea6482ba47c58eb6635c2152b11566d7227405253 555875 pyfribidi_0.11.0.orig.tar.bz2
090823af119ad1732bd63638166c248e25c61e0d56cccaed63d47fe8699ccfa7 4037 pyfribidi_0.11.0-1.debian.tar.gz
7442191093a12d2d6956cb8d9e76f133a7c48e6c93c23b1873112b2b6775b1f1 55350 python-pyfribidi_0.11.0-1_amd64.deb
43fbbba16654350fbc8221d9f914138b5ef94b6e03da1266bd0adde6034b225b 180504 python-pyfribidi-dbg_0.11.0-1_amd64.deb
Files:
0da8602c000d738c00013002cc3f884c 2285 python optional pyfribidi_0.11.0-1.dsc
fb6131173d26fe139609973645e33302 555875 python optional pyfribidi_0.11.0.orig.tar.bz2
10768bb9eeffcf39b4e12fda4a99eb88 4037 python optional pyfribidi_0.11.0-1.debian.tar.gz
b2e2ef74867c44f46424e73190bbc450 55350 python optional python-pyfribidi_0.11.0-1_amd64.deb
9005cea73ae78015925821446717ad1b 180504 debug extra python-pyfribidi-dbg_0.11.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPYRUpAAoJEK728aKnRXZFVlIP/0FG0QO5gy03VKshh5+lSoE9
eGZmLRAvDlAqkYZq4YSlFP4UqN05KpI0rz1pyRznAL2wu+ruDIOk5IzafwR3Iwly
PQ1XkvJAj1Bz/gobyDeHBDebdXHeRxb7Z1Pvq2qrs9dZveycrLASVit/+Zab37UT
SdfTc6+JYINmyMv3bp6AMtXqLSQcLfUZtKL/lzP1gLualTjP4dQLN9i2a0eSFvdG
Ivz/f524JcRt+JPKpCa5VbJqmpwBxtbG4wNu+z5Tosjd3CcbHM8rK2bXbICkcgNO
xVrkX3uE7rt1YrQU6TAIbK3r26GOyhrbAGfJglpi1oRCRv2f2lxDgnGvCc0+0qi5
M46Lyp0g32HNmzDkqUBDeg7QdrXCY/ImYMLe++hKKBqiPf8Zvzc3URFgNqMBBUax
whlMYHguD/7Akm1lQx78gJdKciGTueR3eBieCwP4e0uYjvxSbOJMglTKam0YCW8r
MWpgqX3OsZS/VKRaAdP7DID3shu/oKBgjzmpi7QQ10t71Q4z8WbxCHKYFxurYPI6
XrVcDG1m//JK69ffELolkLM9Z2Ji1gawVrCv0WIYoMVAmSQrcSTwba4zFYEtZyx1
HNzyL59gJHblxtp3chnDdc36ei/cQWvnKB0Tglz8aAPe1/cSwfP03cVxbk+J7oVz
Wi3LS8N9TNnV+KCW6Ijd
=06+K
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#663189; Package src:pyfribidi.
(Wed, 21 Mar 2012 10:39:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Wed, 21 Mar 2012 10:39:16 GMT) (full text, mbox, link).
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.5) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.
For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].
0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 08:26:32 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.