安全研究
安全漏洞
Python多个整数溢出漏洞
发布日期:2008-07-31
更新日期:2008-08-05
受影响系统:
Python python 2.5.x不受影响系统:
Python python 2.4.x
Python python 2.5.2 r6描述:
Python python 2.4.4 r14
BUGTRAQ ID: 30491
CVE(CAN) ID: CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144
Python是一种开放源代码的脚本编程语言。
Python中存在多个整数溢出漏洞,可能允许恶意用户导致拒绝服务或入侵有漏洞的系统。
1) stringobject、unicodeobject、bufferobject、longobject、tupleobject、stropmodule、gcmodule、mmapmodule等核心模块中存在各种整数溢出。
2) hashlib模块中的整数溢出可能导致不可信任的加密摘要结果。
3) 在处理unicode字符串时unicode_resize()中的整数溢出可能在32位系统上导致错误的内存分配。以下是有漏洞的代码段:
174 static
175 int unicode_resize(register PyUnicodeObject *unicode,
176 Py_ssize_t length)
177 {
[...]
201
202 oldstr = unicode->str;
203 PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1);
[...]
209 unicode->str[length] = 0;
210 unicode->length = length;
211
95 #define PyMem_RESIZE(p, type, n) \
96 ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
97 ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
4) 在不存在vsnprintf()函数的架构上,PyOS_vsnprintf()函数中存在整数溢出漏洞。以下是有漏洞的代码段:
53 int
54 PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va)
55 {
56 int len; /* # bytes written, excluding \0 */
[...]
60 assert(str != NULL);
61 assert(size > 0);
62 assert(format != NULL);
63
[...]
67 /* Emulate it. */
68 buffer = PyMem_MALLOC(size + 512);
69 if (buffer == NULL) {
70 len = -666;
71 goto Done;
72 }
73
74 len = vsprintf(buffer, format, va);
75 if (len < 0)
76 /* ignore the error */;
77
78 else if ((size_t)len >= size + 512)
79 Py_FatalError("Buffer overflow in
PyOS_snprintf/PyOS_vsnprintf");
80
81 else {
82 const size_t to_copy = (size_t)len < size ?
83 (size_t)len : size - 1;
84 assert(to_copy < size);
85 memcpy(str, buffer, to_copy);
86 str[to_copy] = '\0';
87 }
88 PyMem_FREE(buffer);
89 Done:
[...]
91 str[size-1] = '\0';
92 return len;
93 }
5) 如果向PyOS_vsnprintf()函数传送了0长度的字符串的话,就可能触发整数溢出,导致内存破坏。以下是有漏洞的代码段:
53 int
54 PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va)
55 {
56 int len; /* # bytes written, excluding \0 */
57 #ifndef HAVE_SNPRINTF
58 char *buffer;
59 #endif
60 assert(str != NULL);
61 assert(size > 0);
62 assert(format != NULL);
[...]
65 len = vsnprintf(str, size, format, va);
[...]
91 str[size-1] = '\0';
92 return len;
93 }
<*来源:David Remahl (vuln@remahl.se)
Justin Ferguson (jferguson@ioactive.com)
链接:http://secunia.com/advisories/31305/
http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=232137
http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=230640
http://bugs.python.org/issue2620
http://bugs.python.org/issue2588
http://bugs.python.org/issue2589
http://security.gentoo.org/glsa/glsa-200807-16.xml
http://www.debian.org/security/2008/dsa-1667
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1667-1)以及相应补丁:
DSA-1667-1:New python2.4 packages fix several vulnerabilities
链接:http://www.debian.org/security/2008/dsa-1667
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
Size/MD5 checksum: 9508940 f74ef9de91918f8927e75e8c3024263a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2.dsc
Size/MD5 checksum: 1201 0b3898b3477ae37a81d28f9539c50de6
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2.diff.gz
Size/MD5 checksum: 205713 ac023a02c39a7e70b10c268e7169cbc7
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch2_all.deb
Size/MD5 checksum: 589678 9c6aef28fb1ff9a804fa1a147ce69d9e
http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch2_all.deb
Size/MD5 checksum: 60906 f03f5452778817758dfce037ba571001
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 965736 6f3adc06d80c3fdeda48e3bc0b12e5d9
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 5238160 680f07c3e87cb20b05b37745cf80f39a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 2970930 e9f0951b39f36de2bd288aa34ca0dbc4
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 1850704 3ccfc06ca31ae9f7f6cb631e8ee3a000
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 967804 0b594b7a4e03004672043d5c58019f80
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 1637308 bcb8e0ccd455c2487ee2721d3d84aca1
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 5592228 441466ec5cbe0a3bf5b7d55a6fed7d8b
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 2968524 145a0af7bfaaae7d9ad2203241ec4ee8
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 5358352 bb915c2a61cdc006db13a8d0c440c56d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 1502304 84153862216da31338aba857c90871d4
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 902236 6427dc210675b5cce39ab5f928b298db
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 2882452 b6bf0e5f6b4ea813a5bccc567b6e408e
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 3076702 001c94d6dba8fb9ba08d29ca5ceca65f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 1799642 95b811cadf540cc3b3f31a0134d18661
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 1020124 9c8431097766633b45cfa35bf71761f5
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 5529414 67fb9036f49688d82b6ee93addc3c3fe
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 901636 b198116fc5425e7fd48dba6d992a0c06
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 2850824 4c7b173a4ebb3444201fe3f45f9e9fd2
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 1511532 4fd6d3f340893f233f674a73642330b0
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 5185158 da92623d224f45bd929b778864f98991
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 3373186 bf8c76edf3d0c95deaa7bdf81a178a83
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 6069872 e4dfd4adc2e602334f0896f7424f0575
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 2271712 46e48abc5e37875a427752c82d8a0f7b
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 1290446 9c85ea026775b8a4789a3e46816d0d5e
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 957252 d38814f00e5f99329484248c184b24b3
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 5660920 84bacdccb5955980efe7a6b59e5238fa
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 1726146 c4312205f75f0bf6393ff2c7bd70fd2f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 2907332 db94b5cd8acca9f475f5f6965a66761a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 2864392 a17779986991285abab3391244d9c1e3
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 5511232 b92e2004fb01967d4f7014970171e9a9
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 1717876 a98897dc330a1a6effa05ff29af9bfab
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 939778 6aeb1ef0ed1589b20009b0f7428a2dda
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 1642534 468c97ebc8403c556c36da596e31d20f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 2958248 bc7f2d52549e520a9843945dd282bfad
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 5786768 370c7b6f933f98308416924f13da6f94
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 979280 a25aeb78de7b33b8b2cfe316f3f0a834
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 2977268 a4dcf614e277d8c0f70b4737e53aaf5c
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 974928 a3bd80007cd56a79472b42db039ece4f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 5674618 cb969a4cc4fda848ebee50528d3c570d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 1648202 72ebac2aefa5ca8c8e2ef9675e0c6052
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 2902784 21032174db6897e8828e34ce01fa017d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 918976 694c6c564222cff16c9069c6ee8c24bf
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 1586720 bf9d1414434a21b314535fc6df13103b
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 5199576 c5bb7eb8ecc15a633d7045d284d3d93d
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200807-16)以及相应补丁:
GLSA-200807-16:Python: Multiple vulnerabilities
链接:http://security.gentoo.org/glsa/glsa-200807-16.xml
所有Python 2.4用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14"
所有Python 2.5用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6"
Python
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://svn.python.org/view?rev=65335&view=rev
浏览次数:3886
严重程度:0(网友投票)
绿盟科技给您安全的保障