Control: retitle -1 matplotlib: CVE-2013-1424: printf buffer overrun Hi,
On Sun, Jan 18, 2015 at 01:44:36PM -0500, Michael Gilbert wrote: > package: src:matplotlib > version: 0.99.3-1 > severity: serious > tag: security, patch > > Matt Giuca reported a matplotlib buffer overrun to the private > security team request tracker in 2013, which ended up falling through > the cracks at the time. See below for the original message and a > proposed patch attached. > > On Wed, Jan 23, 2013 at 11:21:14PM +0000, Matt Giuca via RT wrote: > > The bug is in > > src/mplutils.cpp<https://github.com/matplotlib/matplotlib/blob/master/src/mplutils.cpp>. > > The Printf::Printf constructor accepts an arbitrary format string and > > values, and dumps it into a 1024-byte buffer with vsprintf. This is > > obviously not safe, as the user can simply supply enough bytes to overflow > > the 1024-byte buffer. > > > > The bug can be exploited from Python code, through a number of > > Python-exposed functions that call Printf. The most obvious entry-point I > > can find is ft2font.FT2Font constructor: > > > > >>> from matplotlib import ft2font > > >>> ft2font.FT2Font('x' * 2048) > > *** glibc detected *** python: free(): invalid next size (normal): > > 0x00000000029f1480 *** > > > > There are several other Python functions that call Printf with > > user-supplied data, but this is the cleanest one. > > > > As for what this can be used for: I'm not an expert in exploiting > > vulnerabilities, but it allows any user who can supply either Python code > > to be executed, or certain specific strings such as the name of a font, to > > write an arbitrary number of bytes to a location on the heap, and I know > > that that can potentially be used to compromise a machine. > diff --git a/lib/matplotlib/__init__.py b/lib/matplotlib/__init__.py > index c7e3141..37feb20 100644 > --- a/lib/matplotlib/__init__.py > +++ b/lib/matplotlib/__init__.py > @@ -1114,6 +1114,7 @@ default_test_modules = [ > 'matplotlib.tests.test_lines', > 'matplotlib.tests.test_mathtext', > 'matplotlib.tests.test_mlab', > + 'matplotlib.tests.test_mplutils', > 'matplotlib.tests.test_patches', > 'matplotlib.tests.test_pickle', > 'matplotlib.tests.test_rcparams', > diff --git a/lib/matplotlib/tests/test_mplutils.py > b/lib/matplotlib/tests/test_mplutils.py > new file mode 100644 > index 0000000..e37e41c > --- /dev/null > +++ b/lib/matplotlib/tests/test_mplutils.py > @@ -0,0 +1,12 @@ > +from __future__ import print_function > +from nose.tools import assert_raises > +from matplotlib import ft2font > +from matplotlib.testing.decorators import knownfailureif > +import sys > + > +def test_printf_buffer(): > + """Tests Printf for buffer overrun.""" > + # Use ft2font.FT2Font, which indirectly calls the Printf function in > + # mplutils.cpp. > + # Expect a RuntimeError, since the font is not found. > + assert_raises(RuntimeError, ft2font.FT2Font, 'x' * 2048) > diff --git a/src/mplutils.cpp b/src/mplutils.cpp > index febb97a..af3a2f3 100644 > --- a/src/mplutils.cpp > +++ b/src/mplutils.cpp > @@ -18,7 +18,10 @@ Printf::Printf(const char *fmt, ...) > { > va_list ap; > va_start(ap, fmt); > - vsprintf(buffer, fmt, ap); > + vsnprintf(buffer, 1024, fmt, ap); > + // Null-terminate the string. Non-standard C implementations (e.g., > + // Microsoft Visual C++) do not do this automatically. > + buffer[1023] = '\0'; > va_end(ap); // look ma - I rememberd it this time > } This was assigned CVE-2013-1424 back then from the Debian CVE pool. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
