ID:

CVE-2014-1912 (NVD)

- Vulnerability Info (edit)
2014-02-28

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.

Products mac_os_x, python
Type Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
First patch
2014-01-14
https://github.com/python/cpython/commit/fbf648ebba32bbc5aa571a4b09e2062a65fd2492
"complain when nbytes > buflen to fix possible buffer overflow (closes #20246)"

Stats: +16 lines / -0 lines (total: 16 lines)
Patches http://hg.python.org/cpython/rev/87673659d8f7
Relevant file/s • ./Modules/socketmodule.c
• ./Lib/test/test_socket.py (modified, +8)
• ./Misc/ACKS (modified, +1)
• ./Misc/NEWS (modified, +2)
Links https://security.gentoo.org/glsa/201503-10
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://www.debian.org/security/2014/dsa-2880
http://rhn.redhat.com/errata/RHSA-2015-1330.html
http://lists.opensuse.org/opensuse-updates/2014-04/msg00035.html
Annotation
Detailed repository view
The native Python socket module function recvfrom_into receives and writes a number of bytes from a socket into a given buffer.
This is called from Python as `socket.recvfrom_into(buffer[, nbytes[, flags]])`. The C function `sock_recvfrom_into` then creates a buffer structure `buf` for the purpose of receiving data.
`sock_recvfrom_guts` will then execute the critical write to the `cbuf` pointer as can be seen below.
Finally, one of the above `recvfrom` calls can now trigger a buffer overwrite in the provided `buf`/`cbuf` buffer.