985177 – (CVE-2016-5636) VUL-1: CVE-2016-5636: python3,python: Heap overflow in zipimporter module

Bug 985177 (CVE-2016-5636) - VUL-1: CVE-2016-5636: python3,python: Heap overflow in zipimporter module

Summary: VUL-1: CVE-2016-5636: python3,python: Heap overflow in zipimporter module

Status:	RESOLVED FIXED

Alias:	CVE-2016-5636

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Matej Cepl
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170178/
Whiteboard:	CVSSv2:SUSE:CVE-2016-5636:4.4:(AV:L/A...
Keywords:

Depends on:
Blocks:	1099537 1100971
	Show dependency tree / graph

Clone This Bug

Reported:	2016-06-16 14:00 UTC by Marcus Meissner
Modified:	2022-02-13 11:14 UTC (History)
CC List:	11 users (show)

See Also:	https://bugzilla.suse.com/show_bug.cgi?id=1100971
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
crash.py (513 bytes, text/plain) 2016-06-16 14:03 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-16 14:00:50 UTC

From: Insu Yun <wuninsu@gmail.com>
To: oss-security@lists.openwall.com, Yeongjin Jang <Yeongjin.jang@gatech.edu>
Subject: [oss-security] CVE Request: heap overflow in Python zipimport module

Hello.
In Python zipimport module,
if compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1,
then it overflows and becomes 0.

In that case, python allocates small heap, but after that in freed, it
overflows heap.
Fix info https://bugs.python.org/issue26171
Please help assign a CVE to this vulnerability.
Thank you.

Comment 1 Marcus Meissner 2016-06-16 14:03:41 UTC

Created attachment 681035 [details]
crash.py

QA REPRODUCER:

python crash.py

python3 crash.py

Comment 2 Swamp Workflow Management 2016-06-16 22:01:01 UTC

bugbot adjusting priority

Comment 4 Bernhard Wiedemann 2016-07-01 14:01:23 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/405901 Factory / python

Comment 5 Bernhard Wiedemann 2016-07-01 18:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/405973 13.2+42.1 / python

Comment 6 Jitka Novotna 2016-07-07 14:44:11 UTC

QA reproducing:

Before:
# python crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
IOError: zipimport: can't read data
Segmentation fault

# valgrind python crash.py
[...]
==29282== ERROR SUMMARY: 427 errors from 40 contexts (suppressed: 22 from 7)

After:
Homer:
==24130== ERROR SUMMARY: 438 errors from 43 contexts (suppressed: 22 from 7)
Marge:
==5814== ERROR SUMMARY: 420 errors from 35 contexts (suppressed: 33 from 8)
s390vsw037:
==41261== ERROR SUMMARY: 442 errors from 43 contexts (suppressed: 20 from 5)

Comment 8 Jan Matejek 2016-07-18 09:06:08 UTC

for the record, python cannot be easily tested by valgrind as many of the error reports are spurious.

looking into the failure now

Comment 9 Swamp Workflow Management 2016-07-27 17:09:23 UTC

openSUSE-SU-2016:1885-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 964182,984751,985177,985348
CVE References: CVE-2016-0772,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python-2.7.12-23.1, python-base-2.7.12-23.1, python-doc-2.7.12-23.1
openSUSE 13.2 (src):    python-2.7.12-3.1, python-base-2.7.12-3.1, python-doc-2.7.12-3.1

Comment 10 Jan Matejek 2016-08-03 14:18:33 UTC

I now have a patch for Python 2.7 and 3.4 in SLE 12.

The problem is that the zipimport module contains a number of unsafe overflow checks which are not part of the CVE, and in theory, could also lead to vulnerabilities. Upstream seems to have fixed them for maintained pythons, that is 2.7, 3.4 and 3.5. The original patch that I submitted fixes part of the problem, but apparently not the whole CVE, much less all of the issues.
Backporting the full fix doesn't seem worth the effort, given the severity.

So i'd instead declare WONTFIX for SLE 11 and below.

Alternately, I could just backport parts relevant to this particular CVE, with the caveat that more could appear in the future.

Comment 12 Marcus Meissner 2016-08-10 15:15:47 UTC

i would be fine with wontfix for sle11

Comment 13 Swamp Workflow Management 2016-08-19 12:25:02 UTC

SUSE-SU-2016:2106-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Server 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2, python-doc-2.7.9-24.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2

Comment 14 Swamp Workflow Management 2016-08-19 17:12:37 UTC

openSUSE-SU-2016:2120-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 935856,951166,983582,984751,985177,985348,989523
CVE References: CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python3-3.4.5-8.1, python3-base-3.4.5-8.1, python3-doc-3.4.5-8.1
openSUSE 13.2 (src):    python3-3.4.5-4.4.1, python3-base-3.4.5-4.4.1, python3-doc-3.4.5-4.4.1

Comment 15 Bernhard Wiedemann 2016-08-26 14:00:43 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/423094 42.2 / python3

Comment 16 Swamp Workflow Management 2016-10-26 16:26:27 UTC

SUSE-SU-2016:2653-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python3-base-3.4.5-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1

Comment 17 Swamp Workflow Management 2016-11-18 15:08:31 UTC

SUSE-SU-2016:2859-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    python3-base-3.4.5-19.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Server 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1

Comment 19 Marcus Meissner 2017-10-25 20:04:08 UTC

released

Comment 31 Liu Shukui 2018-08-16 08:58:19 UTC

(In reply to Marcus Meissner from comment #1)
> Created attachment 681035 [details]
> crash.py
> 
> QA REPRODUCER:
> 
> python crash.py
> 
> python3 crash.py

sles11sp4-x64:/test/skliu/python # ./crash.py 
^C
The testcase cannot run with python2.6

Comment 34 Swamp Workflow Management 2018-08-17 13:08:46 UTC

SUSE-SU-2018:2408-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1086001,1088004,1088009,985177
CVE References: CVE-2016-5636,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1

Comment 35 Marcus Meissner 2018-08-28 15:59:04 UTC

released

Comment 37 Swamp Workflow Management 2019-02-01 20:09:42 UTC

SUSE-SU-2019:0223-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1122191,984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2019-5010
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    python-2.7.9-16.7.1, python-base-2.7.9-16.7.2, python-doc-2.7.9-16.7.2

Comment 43 Swamp Workflow Management 2020-01-16 14:18:30 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 44 Swamp Workflow Management 2020-01-21 20:21:10 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 45 Swamp Workflow Management 2020-01-24 20:20:48 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 56 OBSbugzilla Bot 2020-11-27 16:45:40 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 58 OBSbugzilla Bot 2020-12-01 18:25:49 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 60 OBSbugzilla Bot 2020-12-05 17:35:33 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 61 OBSbugzilla Bot 2020-12-05 19:15:48 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 64 OBSbugzilla Bot 2020-12-17 18:15:58 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 65 OBSbugzilla Bot 2021-10-06 14:45:35 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 66 OBSbugzilla Bot 2021-10-22 08:45:55 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 67 OBSbugzilla Bot 2022-02-06 22:31:22 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 68 OBSbugzilla Bot 2022-02-09 19:11:38 UTC

This is an autogenerated message for OBS integration:
This bug (985177) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python