CVE-2014-1912 (NVD)

2014-03-01

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.

Products Mac_os_x, Python
Type Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
First patch https://github.com/python/cpython/commit/fbf648ebba32bbc5aa571a4b09e2062a65fd2492
Relevant file/s • ./Modules/socketmodule.c
• ./Lib/test/test_socket.py (modified, +8)
• ./Misc/ACKS (modified, +1)
• ./Misc/NEWS (modified, +2)
Links http://www.exploit-db.com/exploits/31875
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://www.securitytracker.com/id/1029831
https://security.gentoo.org/glsa/201503-10
http://rhn.redhat.com/errata/RHSA-2015-1330.html
Detailed repository view
The native Python socket module function recvfrom_into receives and writes a number of bytes from a socket into a given buffer.
This is called from Python as `socket.recvfrom_into(buffer[, nbytes[, flags]])`. The C function `sock_recvfrom_into` then creates a buffer structure `buf` for the purpose of receiving data.
`sock_recvfrom_guts` will then execute the critical write to the `cbuf` pointer as can be seen below.
Finally, one of the above `recvfrom` calls can now trigger a buffer overwrite in the provided `buf`/`cbuf` buffer.