Your message dated Sat, 14 Feb 2015 01:49:00 +0000
with message-id <e1ymrqu-0001aq...@franck.debian.org>
and subject line Bug#775691: fixed in matplotlib 1.4.2-3.1
has caused the Debian Bug report #775691,
regarding matplotlib: CVE-2013-1424: printf buffer overrun
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
775691: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775691
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:matplotlib
version: 0.99.3-1
severity: serious
tag: security, patch
Matt Giuca reported a matplotlib buffer overrun to the private
security team request tracker in 2013, which ended up falling through
the cracks at the time. See below for the original message and a
proposed patch attached.
On Wed, Jan 23, 2013 at 11:21:14PM +0000, Matt Giuca via RT wrote:
> The bug is in
> src/mplutils.cpp<https://github.com/matplotlib/matplotlib/blob/master/src/mplutils.cpp>.
> The Printf::Printf constructor accepts an arbitrary format string and
> values, and dumps it into a 1024-byte buffer with vsprintf. This is
> obviously not safe, as the user can simply supply enough bytes to overflow
> the 1024-byte buffer.
>
> The bug can be exploited from Python code, through a number of
> Python-exposed functions that call Printf. The most obvious entry-point I
> can find is ft2font.FT2Font constructor:
>
> >>> from matplotlib import ft2font
> >>> ft2font.FT2Font('x' * 2048)
> *** glibc detected *** python: free(): invalid next size (normal):
> 0x00000000029f1480 ***
>
> There are several other Python functions that call Printf with
> user-supplied data, but this is the cleanest one.
>
> As for what this can be used for: I'm not an expert in exploiting
> vulnerabilities, but it allows any user who can supply either Python code
> to be executed, or certain specific strings such as the name of a font, to
> write an arbitrary number of bytes to a location on the heap, and I know
> that that can potentially be used to compromise a machine.
diff --git a/lib/matplotlib/__init__.py b/lib/matplotlib/__init__.py
index c7e3141..37feb20 100644
--- a/lib/matplotlib/__init__.py
+++ b/lib/matplotlib/__init__.py
@@ -1114,6 +1114,7 @@ default_test_modules = [
'matplotlib.tests.test_lines',
'matplotlib.tests.test_mathtext',
'matplotlib.tests.test_mlab',
+ 'matplotlib.tests.test_mplutils',
'matplotlib.tests.test_patches',
'matplotlib.tests.test_pickle',
'matplotlib.tests.test_rcparams',
diff --git a/lib/matplotlib/tests/test_mplutils.py b/lib/matplotlib/tests/test_mplutils.py
new file mode 100644
index 0000000..e37e41c
--- /dev/null
+++ b/lib/matplotlib/tests/test_mplutils.py
@@ -0,0 +1,12 @@
+from __future__ import print_function
+from nose.tools import assert_raises
+from matplotlib import ft2font
+from matplotlib.testing.decorators import knownfailureif
+import sys
+
+def test_printf_buffer():
+ """Tests Printf for buffer overrun."""
+ # Use ft2font.FT2Font, which indirectly calls the Printf function in
+ # mplutils.cpp.
+ # Expect a RuntimeError, since the font is not found.
+ assert_raises(RuntimeError, ft2font.FT2Font, 'x' * 2048)
diff --git a/src/mplutils.cpp b/src/mplutils.cpp
index febb97a..af3a2f3 100644
--- a/src/mplutils.cpp
+++ b/src/mplutils.cpp
@@ -18,7 +18,10 @@ Printf::Printf(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
- vsprintf(buffer, fmt, ap);
+ vsnprintf(buffer, 1024, fmt, ap);
+ // Null-terminate the string. Non-standard C implementations (e.g.,
+ // Microsoft Visual C++) do not do this automatically.
+ buffer[1023] = '\0';
va_end(ap); // look ma - I rememberd it this time
}
--- End Message ---
--- Begin Message ---
Source: matplotlib
Source-Version: 1.4.2-3.1
We believe that the bug you reported is fixed in the latest version of
matplotlib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilb...@debian.org> (supplier of updated matplotlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Feb 2015 23:16:11 +0000
Source: matplotlib
Binary: python-matplotlib python3-matplotlib python-matplotlib-data
python-matplotlib-doc python-matplotlib-dbg python3-matplotlib-dbg
Architecture: source all
Version: 1.4.2-3.1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <mo...@debian.org>
Changed-By: Michael Gilbert <mgilb...@debian.org>
Description:
python-matplotlib - Python based plotting system in a style similar to Matlab
python-matplotlib-data - Python based plotting system (data package)
python-matplotlib-dbg - Python based plotting system (debug extension)
python-matplotlib-doc - Python based plotting system (documentation package)
python3-matplotlib - Python based plotting system in a style similar to Matlab
(Python
python3-matplotlib-dbg - Python based plotting system (debug extension, Python
3)
Closes: 775691
Changes:
matplotlib (1.4.2-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2013-1424: printf buffer overrun (closes: #775691).
Checksums-Sha1:
a8fc19338051e9eca6779dcbaf5307fbd66b7c71 4099 matplotlib_1.4.2-3.1.dsc
b23cc991fcc781b0b595c3280ccb03b468ff26c7 26548
matplotlib_1.4.2-3.1.debian.tar.xz
38fb0f31198d30d607841b0ba0c3ff90ef60c063 3040940
python-matplotlib-data_1.4.2-3.1_all.deb
0a5412631bcba6d2d9f4f514bb5f567db5aeabd4 74152190
python-matplotlib-doc_1.4.2-3.1_all.deb
Checksums-Sha256:
5a449343e7eb397d71cf890e79a2a8bc1035067b71753c95196890354d1390d7 4099
matplotlib_1.4.2-3.1.dsc
c84b477d0bc3612df10f83924280ab30f3723b608f5612599a7a44edcb735ea5 26548
matplotlib_1.4.2-3.1.debian.tar.xz
6312cca3ff7f26faa030807d051a807537df85ba7e4d24ec01eabd6e6344b842 3040940
python-matplotlib-data_1.4.2-3.1_all.deb
bf4231e810eb4cf4b5979ee9d9a78c908a324568dde5c1024961f68feed38f57 74152190
python-matplotlib-doc_1.4.2-3.1_all.deb
Files:
320c352d6c707f17ab896eb906836163 4099 python optional matplotlib_1.4.2-3.1.dsc
67817bea0424aaea7e3d32ab03eeae63 26548 python optional
matplotlib_1.4.2-3.1.debian.tar.xz
7cff802a015fa6531163fcd5e039f3a0 3040940 python optional
python-matplotlib-data_1.4.2-3.1_all.deb
258dcbf23c6357ffd55e7160711a55e5 74152190 doc optional
python-matplotlib-doc_1.4.2-3.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJU3qXUAAoJELjWss0C1vRzAYUgALOQPUqySeRp1gHMY0/BSwRN
x1YtjAJJKXXq4yzllqguqAr7fYZu2jFMGyb7eS8ATaokrDFKEqFtWbz1qK3R6UAT
5PSGR/wBEszDRBFoQViiupiR61QRqZM6PTK5noIJvC86147MoOcnyKIynuxiORHN
CxDoM/MKpjWhyk8o+7x7rEDQbCXWxW9DKssHUP0BpOkrHy/ilhmeMPHm7dKhRss/
f1XmYbZTPKd/zD2vc29tMTWVvfEj0CY4oq12vVyfXWIIEw2KgA6Krhmq4auun/lI
LjEbGm+/pEOFCTtHxy5OR6VT4XcSg62RJhcXy209f8EA7+cOZTJJQmHuwuQN+Mm6
GAmYRagULS4xO9k7dIguSLY8Vy+y8ieUfpIzAaNFibxcK98w2qs/U/Ocw8wE0FwC
3DiVYoRYLM7FukE4QnlLhdtFUmsuueCRWMB5wGWem91PtT6ZpBexhgeVKdl1/VvZ
3OtK9ua34n7R2HF3Ez61Qt1jZhVYLn4KsRHA3CQ4StPjxjcner2qPJdKqFvPCAUt
9mwMBgS1dW67qXZorHzXy5A8ZFV7x1y+j0BQCx7o/OHMDf+lPIiceYNS2v/TpZzF
SPvoaiBIRduzxeu3Gc1iWu1rI79cvMSEQx2Iw0v1HmDo23zQIxwpcG8GhcA+PCGs
GUBz7bMwA1uSdhk6P/Bzo5VucPF1ugFGdsRogvOoYVz3O5TTAG7VuNrF60UrTYjF
HkUfueIRnpYjyt/lfGpDFwr+zjwKDvjsWAMgo0xSphDYcIId7/Xi+Nx4JGuIQ6HZ
YJvjabw+piSYvRLF+Op8CZRIRp4jGKKWnmzmRdq66+qKLTv+CHUZxvc47BzcQgyS
vIBn3qj462r+C8hfsGQXYjD5RHVv6hrkAH1F1bEi/Rhtb8v/DRiczfBj4p5UD77S
gCuJ0cKAvUKvFJZtrfNpk1eBlpbxiXxISGRY2KC+X+nHJgABIBVZe1AKAkOGdLei
HZTf32p1Hh9zODVPwx9w4Dld4H5fyzQCuN9UH5PdjPatE9n6mBEJ//8tG8/s/eV0
+tbw6okj2HQtF/YI4nMdjCtOSjN9Rfvm0R4IYzXGxa01sSgh1qkFLI4O5Zp/oShB
5/u5SIjpGmchQTv5eSUw7u5SxUCeFrxHg5HHhRu2j2ab8Sf4kL8/fWhaZsszodQc
f35/IkkDqtsm3L09WrYJT1nHVanFgP1wMLdOZ5lkECFCHyGhNnyLKq9agoPYAfOM
cDTnl3aTxF/5WWKqGKbgbFrQRW7QubqeW90jiPs3fnbYCpKbmeDR8Av9PfrL/gh2
q1KlArfYrNawedmI7ShJyVW3K1uqefiksO6vI1R35V1KTPqUpFQM3NBV8cGSkd0=
=Fgs3
-----END PGP SIGNATURE-----
--- End Message ---
