Bugzilla – Bug 1079300
VUL-0: CVE-2018-1000030: python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c
Last modified: 2022-06-10 08:40:17 UTC
CVE-2018-1000030 Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. All supported codestreams are affected: - SUSE:SLE-10-SP3:Update - SUSE:SLE-11-SP1:Update - SUSE:SLE-12-SP1:Update There are upstream patches available: Patch: https://bugs.python.org/file47157/0001-stop-crashes-when-iterating-over-a-file-on-multiple-.patch https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b References: https://bugs.python.org/issue31530 https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0 https://bugzilla.redhat.com/show_bug.cgi?id=1541558 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000030
The package python27 in SUSE:SLE-11-SP1:Update:Teradata is also affected.
This issue is fixed by upstream patch 6401e5671781eb217ee1afb4603cc0d1b0367ae6. Since that solution had unintended side-effects, another commit was added on top of it in dbf52e02f18dac6f5f0a64f78932f3dc6efc056b. Both patches are submitted to SLE-12-SP1 and SUSE:SLE-11-SP1:Update:Teradata. I made an honest attempt at back-porting the fixes to SLE-11-SP1 (Python-2.6.9) and managed to apply the first patch, but not the second one. The second patch -- which provides the proper solutions -- has substantial differences with regard to the state of Objects/fileobject.c in that old Python version and I don't think it can be applied. Patching SLE-10-SP3, which is based on the even older version Python 2.4.2 seems out of question.
Actually I don't see how this issue got a CVE assigned. Where is the security relevance? Working on the same data from parallel threads without explicit synchronization is always a bad idea. Once can argue that builtin Python object should survive this without corruption. And I think this is what this bug is actually about. But how should an attacker exploit this issue? It requires a program that operates without sense in parallel on the same file objects. And even then you need some additional attack vector. Red Hat seems to have come to the same conclusion: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1000030 Investing effort in a complex backport for such a kind of "vulnerability" is not helpful in my opinion.
SUSE-SU-2018:1372-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1068664,1079300 CVE References: CVE-2017-1000158,CVE-2018-1000030 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): python-base-2.7.13-28.3.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): python-base-2.7.13-28.3.2 SUSE Linux Enterprise Server 12-SP3 (src): python-2.7.13-28.3.2, python-base-2.7.13-28.3.2, python-doc-2.7.13-28.3.3 SUSE Linux Enterprise Desktop 12-SP3 (src): python-2.7.13-28.3.2, python-base-2.7.13-28.3.2 SUSE Enterprise Storage 5 (src): python-2.7.13-28.3.2 SUSE CaaS Platform ALL (src): python-2.7.13-28.3.2, python-base-2.7.13-28.3.2 OpenStack Cloud Magnum Orchestration 7 (src): python-2.7.13-28.3.2, python-base-2.7.13-28.3.2
openSUSE-SU-2018:1415-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1068664,1079300 CVE References: CVE-2017-1000158,CVE-2018-1000030 Sources used: openSUSE Leap 42.3 (src): python-2.7.13-27.3.1, python-base-2.7.13-27.3.1, python-doc-2.7.13-27.3.1
Since the security impact is negligible we will not fix this for older python versions due to the risk of introducing regressions. I added a note to the CVE pages to reflect this
SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available. Category: security (important) Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436 CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948 Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): python-2.7.17-7.32.2 SUSE Linux Enterprise Module for Desktop Applications 15 (src): python-2.7.17-7.32.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 SUSE Linux Enterprise Module for Basesystem 15 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1079300) was mentioned in https://build.opensuse.org/request/show/951983 Factory / python
This is an autogenerated message for OBS integration: This bug (1079300) was mentioned in https://build.opensuse.org/request/show/953031 Factory / python
This is an autogenerated message for OBS integration: This bug (1079300) was mentioned in https://build.opensuse.org/request/show/981989 Factory / python