Your message dated Sat, 14 Feb 2015 11:19:07 +0000 with message-id <e1ymakd-0002pd...@franck.debian.org> and subject line Bug#775691: fixed in matplotlib 1.4.3~rc1-1 has caused the Debian Bug report #775691, regarding matplotlib: CVE-2013-1424: printf buffer overrun to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775691: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775691 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---package: src:matplotlib version: 0.99.3-1 severity: serious tag: security, patch Matt Giuca reported a matplotlib buffer overrun to the private security team request tracker in 2013, which ended up falling through the cracks at the time. See below for the original message and a proposed patch attached. On Wed, Jan 23, 2013 at 11:21:14PM +0000, Matt Giuca via RT wrote: > The bug is in > src/mplutils.cpp<https://github.com/matplotlib/matplotlib/blob/master/src/mplutils.cpp>. > The Printf::Printf constructor accepts an arbitrary format string and > values, and dumps it into a 1024-byte buffer with vsprintf. This is > obviously not safe, as the user can simply supply enough bytes to overflow > the 1024-byte buffer. > > The bug can be exploited from Python code, through a number of > Python-exposed functions that call Printf. The most obvious entry-point I > can find is ft2font.FT2Font constructor: > > >>> from matplotlib import ft2font > >>> ft2font.FT2Font('x' * 2048) > *** glibc detected *** python: free(): invalid next size (normal): > 0x00000000029f1480 *** > > There are several other Python functions that call Printf with > user-supplied data, but this is the cleanest one. > > As for what this can be used for: I'm not an expert in exploiting > vulnerabilities, but it allows any user who can supply either Python code > to be executed, or certain specific strings such as the name of a font, to > write an arbitrary number of bytes to a location on the heap, and I know > that that can potentially be used to compromise a machine.diff --git a/lib/matplotlib/__init__.py b/lib/matplotlib/__init__.py index c7e3141..37feb20 100644 --- a/lib/matplotlib/__init__.py +++ b/lib/matplotlib/__init__.py @@ -1114,6 +1114,7 @@ default_test_modules = [ 'matplotlib.tests.test_lines', 'matplotlib.tests.test_mathtext', 'matplotlib.tests.test_mlab', + 'matplotlib.tests.test_mplutils', 'matplotlib.tests.test_patches', 'matplotlib.tests.test_pickle', 'matplotlib.tests.test_rcparams', diff --git a/lib/matplotlib/tests/test_mplutils.py b/lib/matplotlib/tests/test_mplutils.py new file mode 100644 index 0000000..e37e41c --- /dev/null +++ b/lib/matplotlib/tests/test_mplutils.py @@ -0,0 +1,12 @@ +from __future__ import print_function +from nose.tools import assert_raises +from matplotlib import ft2font +from matplotlib.testing.decorators import knownfailureif +import sys + +def test_printf_buffer(): + """Tests Printf for buffer overrun.""" + # Use ft2font.FT2Font, which indirectly calls the Printf function in + # mplutils.cpp. + # Expect a RuntimeError, since the font is not found. + assert_raises(RuntimeError, ft2font.FT2Font, 'x' * 2048) diff --git a/src/mplutils.cpp b/src/mplutils.cpp index febb97a..af3a2f3 100644 --- a/src/mplutils.cpp +++ b/src/mplutils.cpp @@ -18,7 +18,10 @@ Printf::Printf(const char *fmt, ...) { va_list ap; va_start(ap, fmt); - vsprintf(buffer, fmt, ap); + vsnprintf(buffer, 1024, fmt, ap); + // Null-terminate the string. Non-standard C implementations (e.g., + // Microsoft Visual C++) do not do this automatically. + buffer[1023] = '\0'; va_end(ap); // look ma - I rememberd it this time }
--- End Message ---
--- Begin Message ---Source: matplotlib Source-Version: 1.4.3~rc1-1 We believe that the bug you reported is fixed in the latest version of matplotlib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sandro Tosi <mo...@debian.org> (supplier of updated matplotlib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 14 Feb 2015 00:08:01 +0000 Source: matplotlib Binary: python-matplotlib python3-matplotlib python-matplotlib-data python-matplotlib-doc python-matplotlib-dbg python3-matplotlib-dbg Architecture: source all amd64 Version: 1.4.3~rc1-1 Distribution: experimental Urgency: medium Maintainer: Sandro Tosi <mo...@debian.org> Changed-By: Sandro Tosi <mo...@debian.org> Description: python-matplotlib - Python based plotting system in a style similar to Matlab python-matplotlib-data - Python based plotting system (data package) python-matplotlib-dbg - Python based plotting system (debug extension) python-matplotlib-doc - Python based plotting system (documentation package) python3-matplotlib - Python based plotting system in a style similar to Matlab (Python python3-matplotlib-dbg - Python based plotting system (debug extension, Python 3) Closes: 613818 775691 Changes: matplotlib (1.4.3~rc1-1) experimental; urgency=medium . * New upstream release candidate * debian/copyright - extend packaging copyright years * debian/patches/test_backend_with_timeout.patch - removed, merged upstream * debian/{control, patches/bts613818_use_system_pycxx.patch} - use Debian version of PyCXX, instead of the bundled one; thanks to Julian Taylor for the report and the work on Debian PyCXX side: Closes: #613818 * debian/watch - download tarball from GitHub * debian/patches/CVE-2013-1424.patch - fix a buffer overrun in mplutils Printf(), addressing CVE-2013-1424; thanks to Matt Giuca for the patch; Closes: #775691 * debian/control - added locales-all to b-d, needed to ensure en_US.UTF-8 locale is available, required by test suite * debian/rules - fix a FTBFS when building twice in a row Checksums-Sha1: b3434db6ed395e33b98049640119f04b5c3944d8 3471 matplotlib_1.4.3~rc1-1.dsc 9a03d6cba5ef8a8d8cd0c25d4be3e8c9cf3f8310 49819379 matplotlib_1.4.3~rc1.orig.tar.gz 72631ee309768b315bf2d5f3d8f669cb233f2c98 26440 matplotlib_1.4.3~rc1-1.debian.tar.xz 27c392961385821a633520012d4577c3fec20ad7 3035706 python-matplotlib-data_1.4.3~rc1-1_all.deb 5b8600dd17994b0333e805b79e0989b80dd855cb 66404788 python-matplotlib-doc_1.4.3~rc1-1_all.deb 94fd6312c747b0670725cd50e575674897f063d5 3603720 python-matplotlib_1.4.3~rc1-1_amd64.deb 342adf2a3b80b8a93ab5f078a63c5bc30967b2ba 3575408 python3-matplotlib_1.4.3~rc1-1_amd64.deb 40e9ed7d4b8f4c4612afcc88fc3ece4bcd0d67bd 8600694 python-matplotlib-dbg_1.4.3~rc1-1_amd64.deb 5d2ceccad3dde57b6c221f1fd5e1e20999fef998 833270 python3-matplotlib-dbg_1.4.3~rc1-1_amd64.deb Checksums-Sha256: cde077a9e39f0a9cd27c5fce18aade06f5ffba3708a6f55c9694bc78a3d9dc8f 3471 matplotlib_1.4.3~rc1-1.dsc 43b6982c0778d744096d06b358b8de802c6b2675eab53a742110d8de3b3b94e4 49819379 matplotlib_1.4.3~rc1.orig.tar.gz b15649246b39dcda0bb42459b5ba78853a75683a409e68583570b95c3ccdc736 26440 matplotlib_1.4.3~rc1-1.debian.tar.xz 6e33aa347e53efa8650785c7a42e8090086c054315e85b29245beed30f900540 3035706 python-matplotlib-data_1.4.3~rc1-1_all.deb e3987ac2768d902e93dbb8fcfe7d71a5bcfb17d31fdedb5865f0bbb415cd9483 66404788 python-matplotlib-doc_1.4.3~rc1-1_all.deb 11f909a7a42301fc49a24f3d67f1f7823a8f786146d7fafc7b968de56a6d51f9 3603720 python-matplotlib_1.4.3~rc1-1_amd64.deb 891ac0aaeac174106e228e7faa07730c82bc14d6c456fa2012aba7f37aa942b6 3575408 python3-matplotlib_1.4.3~rc1-1_amd64.deb ac549c5a2d6be1ac32184c05926edbcd64176afacb599de730ad665adb1982fc 8600694 python-matplotlib-dbg_1.4.3~rc1-1_amd64.deb cb2b01f444e2b99bc6a0aa7f208924599e9d678815d10e9c3f1ac8bbdb5e9b30 833270 python3-matplotlib-dbg_1.4.3~rc1-1_amd64.deb Files: 1b6020bd2b8e15f42755d87718ffb957 3471 python optional matplotlib_1.4.3~rc1-1.dsc 291ce88dbf93c13171f49f8544453786 49819379 python optional matplotlib_1.4.3~rc1.orig.tar.gz 875d7916e8ea62a9c92bc8ef428df678 26440 python optional matplotlib_1.4.3~rc1-1.debian.tar.xz 746a8c23d2ff174e5cd700f487ce35ed 3035706 python optional python-matplotlib-data_1.4.3~rc1-1_all.deb bb04dc80c96c0f998ea1a8e95510f35a 66404788 doc optional python-matplotlib-doc_1.4.3~rc1-1_all.deb e438bcb28c305a353c304ee976fdb3b8 3603720 python optional python-matplotlib_1.4.3~rc1-1_amd64.deb 347733d1bc96b1d115bf85f137bd7261 3575408 python optional python3-matplotlib_1.4.3~rc1-1_amd64.deb dc6337f27eef82cc4d19fac0170af9c0 8600694 debug extra python-matplotlib-dbg_1.4.3~rc1-1_amd64.deb 262080a19929acdb41b75d6631136ef0 833270 debug extra python3-matplotlib-dbg_1.4.3~rc1-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJU3yvMAAoJEP6NePn+T04QvOQQAKZ73khYElfpiBl1/tD6Df0A VFjbWaKwXLYsaATzGZqsVYcw3AyaxBuKfBaEB8nyAFppMs/QiF67XsbiGvZtsKL5 zQEasVFIAnTjlSqq9rWwV5AaglwRDhHB+ssO3nFFDJLG3mX3UeGAQ+nrb85p45Sg JyLsu5oWeKgV1QtacMGdlyfm4uaqTPlKPDu5oK2VSY6EpBZSWoWVIHopwJ4PVUNO ipI547pAoOmoy+GjecKfpBX6lUXa8/AZrQKl3evXf/BLE8J37gyNgANhNz2SDdCP jpYjZ0Mvk8rNTqHSjmxvwSB3gIM2QYm1nTyJ1c37jnLBgzpL+pzE4NprSrL6osKV /tDfRbpYBOC67z2woeOxs61/SKA8S1GHrGEOffMCfk8msA9C4+NnnuUOeUq8hMm0 yKGRZDyIolrg56gjxaQM7R1s25KkCym0tz7yiYcXyAdlDGIF7FfYxCyakgxvJM29 QeUPIzjRXFP0dmhAqWK4tD19tKKAdmPXkWaRREYjSEhfUwEXQ+Hh2MsMWV2ccqnQ P+bWo1vJEkZGNjt/UO88zZ3zaUG3Bsu6/1sxQDtgJWcXPcAI4TeE3gw18YnSIq/f ElHoyTVPK0fJw9ZJx+uHzmnJnFEeSVHbiFSbfGLz0Bqb1b8I6f2HXhtz3/ZCQmXe ju9X6BbTb4dBC+5EvOAB =5Kyo -----END PGP SIGNATURE-----
--- End Message ---
