Bug 1079300 - (CVE-2018-1000030) VUL-0: CVE-2018-1000030: python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c
(CVE-2018-1000030)
VUL-0: CVE-2018-1000030: python: Heap-Buffer-Overflow and Heap-Use-After-Free...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/199416/
CVSSv3:RedHat:CVE-2018-1000030:3.6:(A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-05 08:37 UTC by Karol Babioch
Modified: 2022-06-10 08:40 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-02-05 08:37:34 UTC
CVE-2018-1000030

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory.

All supported codestreams are affected:

- SUSE:SLE-10-SP3:Update 
- SUSE:SLE-11-SP1:Update 
- SUSE:SLE-12-SP1:Update 

There are upstream patches available:

Patch:
https://bugs.python.org/file47157/0001-stop-crashes-when-iterating-over-a-file-on-multiple-.patch
https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b

References:
https://bugs.python.org/issue31530
https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view
https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0
https://bugzilla.redhat.com/show_bug.cgi?id=1541558
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000030
Comment 1 Karol Babioch 2018-02-05 09:36:33 UTC
The package python27 in SUSE:SLE-11-SP1:Update:Teradata is also affected.
Comment 2 Peter Simons 2018-03-13 18:18:40 UTC
This issue is fixed by upstream patch 6401e5671781eb217ee1afb4603cc0d1b0367ae6. Since that solution had unintended side-effects, another commit was added on top of it in dbf52e02f18dac6f5f0a64f78932f3dc6efc056b. Both patches are submitted to SLE-12-SP1 and SUSE:SLE-11-SP1:Update:Teradata.

I made an honest attempt at back-porting the fixes to SLE-11-SP1 (Python-2.6.9) and managed to apply the first patch, but not the second one. The second patch -- which provides the proper solutions -- has substantial differences with regard to the state of Objects/fileobject.c in that old Python version and I don't think it can be applied.

Patching SLE-10-SP3, which is based on the even older version Python 2.4.2 seems out of question.
Comment 5 Matthias Gerstner 2018-04-17 08:34:06 UTC
Actually I don't see how this issue got a CVE assigned. Where is the security
relevance? Working on the same data from parallel threads without explicit
synchronization is always a bad idea. Once can argue that builtin Python
object should survive this without corruption. And I think this is what this
bug is actually about.

But how should an attacker exploit this issue? It requires a program that
operates without sense in parallel on the same file objects. And even then you
need some additional attack vector.

Red Hat seems to have come to the same conclusion:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1000030

Investing effort in a complex backport for such a kind of "vulnerability" is
not helpful in my opinion.
Comment 9 Swamp Workflow Management 2018-05-23 06:19:09 UTC
SUSE-SU-2018:1372-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1068664,1079300
CVE References: CVE-2017-1000158,CVE-2018-1000030
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.3.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.3.2
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2, python-doc-2.7.13-28.3.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.3.2
SUSE CaaS Platform ALL (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2
Comment 12 Swamp Workflow Management 2018-05-24 01:07:40 UTC
openSUSE-SU-2018:1415-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1068664,1079300
CVE References: CVE-2017-1000158,CVE-2018-1000030
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.3.1, python-base-2.7.13-27.3.1, python-doc-2.7.13-27.3.1
Comment 13 Johannes Segitz 2018-05-24 11:46:56 UTC
Since the security impact is negligible we will not fix this for older python versions due to the risk of introducing regressions. I added a note to the CVE pages to reflect this
Comment 16 Swamp Workflow Management 2020-01-24 20:12:22 UTC
SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 OBSbugzilla Bot 2022-02-06 22:30:18 UTC
This is an autogenerated message for OBS integration:
This bug (1079300) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python
Comment 19 OBSbugzilla Bot 2022-02-09 19:10:19 UTC
This is an autogenerated message for OBS integration:
This bug (1079300) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python
Comment 20 OBSbugzilla Bot 2022-06-10 08:40:17 UTC
This is an autogenerated message for OBS integration:
This bug (1079300) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python