Bug 444989 (CVE-2008-4864) - VUL-0: CVE-2008-4864: python: imageop.c integer overflows
Summary: VUL-0: CVE-2008-4864: python: imageop.c integer overflows
Status: RESOLVED FIXED
Alias: CVE-2008-4864
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2008-12-12
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: wasL3:30734 maint:released:10.3:21060...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2008-11-14 09:58 UTC by Thomas Biege
Modified: 2023-11-27 13:38 UTC (History)
5 users (show)

See Also:
Found By: Development
Services Priority: 800
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2008-11-14 09:58:23 UTC 
Hi.
There is a security bug in 'python'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2008-4864
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864


Original posting:



CVE-ID: CVE-2008-4864
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864


Multiple integer overflows in imageop.c in the imageop module in
Python 1.5.2 through 2.5.1 allow context-dependent attackers to break
out of the Python VM and execute arbitrary code via large integer
values in certain arguments to the crop function, leading to a buffer
overflow, a different vulnerability than CVE-2007-4965 and
CVE-2008-1679.


Current Votes:
None (candidate not yet proposed)
Comment 1 Jan Matejek 2008-11-18 12:17:40 UTC 
this does not exist in stable, we dropped the imageop module (and it was apparently a good thing to do)

i'm investigating older distros.
Comment 2 Jan Matejek 2008-11-28 17:13:00 UTC 
fix submitted for SLES9, SLES10, 10.2 (just to be sure), 10.3 and 11.0

handing over to security team
Comment 3 Ludwig Nussel 2008-12-01 10:24:23 UTC 
reproducer from http://scary.beasts.org/security/CESA-2008-008.htm

import imageop
s = ''
imageop.crop(s, 1, 65536, 65536, 0, 0, 65536, 65536)
Comment 4 Marcus Meissner 2008-12-03 16:39:44 UTC 
python does not build on 10.3-x86_64   (everywhere else it builds)
Comment 5 Jan Matejek 2008-12-04 15:45:50 UTC 
right on it.
the reason for failure is weird, though
Comment 6 Jan Matejek 2008-12-05 17:03:14 UTC 
i can't reproduce the failure in local abuild, nor in mbuild.

is it possible that the sources for those builds are broken (those in /work/SRC/old-versions/whatever are OK) ?
Comment 7 Marcus Meissner 2008-12-06 11:28:48 UTC 
i think its related to memory size of the machine.

my 512MB machine does not trigger it.
/work/SRC/old-versions/10.3/all/python/python-2.5.2-CVE-2008-3143-googles-int-overflow.patch
+def test_crasher():
+    assertRaises(MemoryError, struct.pack, "357913941c", "a")
+

this does not seem to run out of memory I think in abuild.

The only thing I see differently is:
--- python      2008-12-06 00:50:46.000000000 +0100
+++ /work/built/mbuild/westernhagen-meissner-6/10.3-x86_64/Logfile.python.spec  2008-12-06 00:58:52.108922000 +0100
@@ -1,14 +1,14 @@
-Limit Virtual Memory to 9284666 (ulimit -v)
-stravinsky started 'build --clean /work/SRC/old-versions/10.3/all/python/python.spec' at Sat Dec  6 00:31:58 CET 2008.
+Limit Virtual Memory to 1760754 (ulimit -v)
+nitsch started 'build --clean /work/built/mbuild/westernhagen-meissner-6/python.spec' at Sat Dec  6 00:43:57 CET 2008.


If there is 9GB virtual memory it fails, if there is 1.7 GB ... it works.



I triggered several rebuilds and one of them now succeeded.


... not sure if we want to fix this now, or with the next update. For this update its fine now.
Comment 8 Jan Matejek 2008-12-09 17:33:48 UTC 
oh ... i could've found that one too :e/

the test is broken, it only works on 32bits. i guess it's okay to remove the whole test_struct for now and fix it with the next update.
should i submit a proper version (in that case, i'd fix the test now) or will you do it yourself? (it's sufficient to append "-x test_struct" to EXCLUDE in the specfile)
Comment 9 Ludwig Nussel 2008-12-10 10:17:04 UTC 
just go ahead and fix it
Comment 10 Jan Matejek 2008-12-12 18:05:31 UTC 
submitted, it was a trivial change in the end
Comment 11 Heiko Rommel 2009-01-09 13:44:21 UTC 
While testing the prepared maintenance update

YOU Patch No: 12316
MD5 sum: 3118793234bb8b5e0dcba89b0a141f28
SUBSWAMPID: 21062

I found that the new test cases of imageop (part of python-devel) does not execute on code9:

oes:/usr/lib/python/test # python ./test_imageop.py
Traceback (most recent call last):
  File "./test_imageop.py", line 14, in ?
    VALUES = tuple( [-x for x in reversed(_VALUES)] ) + (0,) + _VALUES
NameError: name 'reversed' is not defined
Comment 12 Swamp Workflow Management 2009-01-09 14:48:25 UTC 
Update released for: python, python-curses, python-demo, python-devel, python-gdbm, python-idle, python-tk, python-xml
Products:
openSUSE 10.3 (i386, ppc, ppc64, x86_64)
openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64)
Comment 13 Thomas Biege 2009-01-09 14:50:01 UTC 
packages released
Comment 14 Swamp Workflow Management 2009-01-09 23:00:22 UTC 
Update released for: python, python-curses, python-demo, python-devel, python-gdbm, python-idle, python-tk, python-xml
Products:
SLE-DESKTOP 10-SP2 (i386, x86_64)
SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Comment 15 Swamp Workflow Management 2009-01-09 23:00:33 UTC 
Update released for: python, python-curses, python-demo, python-devel, python-doc, python-doc-pdf, python-gdbm, python-idle, python-mpz, python-tk, python-xml
Products:
Novell-Linux-Desktop 9 (i386, x86_64)
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Comment 16 Thomas Biege 2009-10-14 01:44:31 UTC 
CVE-2008-4864: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)