Bug 884075 (CVE-2014-4616) - VUL-0: CVE-2014-4616: python: missing boundary check in JSON module
Summary: VUL-0: CVE-2014-4616: python: missing boundary check in JSON module
Status: RESOLVED FIXED
Alias: CVE-2014-4616
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P2 - High : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/99995/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-24 15:26 UTC by Johannes Segitz
Modified: 2014-12-31 10:05 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-24 15:26:30 UTC 
Python 2 and 3 are susceptible to arbitrary process memory reading by
a user or adversary due to a bug in the _json module caused by
insufficient bounds checking.

The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.

References:
http://bugs.python.org/issue21529
https://bugzilla.redhat.com/show_bug.cgi?id=1112285
Comment 1 Jan Matejek 2014-06-24 15:39:48 UTC 
SLE12 and Factory are already fixed
Comment 2 Jan Matejek 2014-06-24 16:57:18 UTC 
python 2.6 (SLE 11) and lower don't seem to be affected -- the vulnerable function argument is not present
Comment 3 Johannes Segitz 2014-06-25 07:14:17 UTC 
That was easy, thank you. Can you please take care of openSUSE 12.3 and 13.1?
Comment 6 Bernhard Wiedemann 2014-06-26 18:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (884075) was mentioned in
https://build.opensuse.org/request/show/238819 13.1 / python
https://build.opensuse.org/request/show/238820 13.1 / python3
https://build.opensuse.org/request/show/238821 12.3 / python
https://build.opensuse.org/request/show/238822 12.3 / python3
Comment 7 Jan Matejek 2014-06-27 12:36:39 UTC 
handing over to security
Comment 8 Swamp Workflow Management 2014-07-12 17:04:26 UTC 
openSUSE-SU-2014:0890-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 884075
CVE References: CVE-2014-4616
Sources used:
openSUSE 13.1 (src):    python-2.7.6-8.10.1, python-base-2.7.6-8.10.1, python-doc-2.7.6-8.10.1, python3-3.3.5-5.12.1, python3-base-3.3.5-5.12.1, python3-doc-3.3.5-5.12.1
openSUSE 12.3 (src):    python-2.7.3-10.16.1, python-base-2.7.3-10.16.1, python-doc-2.7-10.16.1, python3-3.3.0-6.19.1, python3-base-3.3.0-6.19.1, python3-doc-3.3.0-6.19.1
Comment 9 Marcus Meissner 2014-09-01 10:00:38 UTC 
was released
Comment 10 Swamp Workflow Management 2014-12-31 10:05:44 UTC 
openSUSE-SU-2014:1734-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 863741,884075,885882,898572,901715
CVE References: CVE-2014-1912,CVE-2014-4616,CVE-2014-4650,CVE-2014-7185
Sources used:
openSUSE Evergreen 11.4 (src):    python-2.7.3-52.1, python-base-2.7.3-52.1, python-doc-2.7-52.1