[issue14001] Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

2012-02-13 Thread Jan Lieskovsky 

New submission from Jan Lieskovsky :

A denial of service flaw was found in the way Simple XML-RPC Server module of 
Python processed client connections, that were closed prior the complete 
request body has been received. A remote attacker could use this flaw to cause 
Python Simple XML-RPC based server process to consume excessive amount of CPU.

Credit:
Issue reported by Daniel Callaghan

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=789790

Steps to reproduce:
--
A) for v3.2.2 version:

1) start server:
cat s.py 
#!/usr/local/bin/python3

from xmlrpc.server import SimpleXMLRPCServer
server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()

2) # top

3) issue request from client:
echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc 
localhost 12345

Return to 'top' screen and see, how CPU consumption on particular host quickly 
moves to 100%.

B) for v2.7.2 version:

1) start server:

cat s.py 
#!/usr/bin/python

from SimpleXMLRPCServer import SimpleXMLRPCServer

server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()

Steps 2) and 3) for v2.7.2 version are identical to
those for v3.2.2 version.

--
components: Library (Lib)
messages: 153267
nosy: iankko
priority: normal
severity: normal
status: open
title: Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) 
by processing malformed XMLRPC / HTTP POST request
type: security
versions: Python 2.7, Python 3.2

___
Python tracker 
<http://bugs.python.org/issue14001>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14001] Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

2012-02-13 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/02/13/3

--

___
Python tracker 
<http://bugs.python.org/issue14001>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue14001] CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

2012-02-14 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

The CVE identifier of CVE-2012-0845 has been assigned to this issue:
[3] http://www.openwall.com/lists/oss-security/2012/02/13/4

--
title: Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) 
by processing malformed XMLRPC / HTTP POST request -> CVE-2012-0845 Python 
v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing 
malformed XMLRPC / HTTP POST request

___
Python tracker 
<http://bugs.python.org/issue14001>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16202] sys.path[0] security issues

2012-10-15 Thread Jan Lieskovsky 

Jan Lieskovsky added the comment:

Jeroen,

  just out of curiosity. Is the current issue different from
CVE-2008-5983 (at first quick glance it looks the be the same issue):?
[1] http://bugs.python.org/issue5753

Thank you, Jan.
--
Jan iankko Lieskovsky

--
nosy: +iankko

___
Python tracker 
<http://bugs.python.org/issue16202>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-07-09 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

Hello guys,

  what's the current state of this issue? The proposed patch hasn't
still been projected into upstream Python code, so wondering:
1, when and if it will be?
2, if you have found another solution / patch?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky

--

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-07-15 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

Link to older Python tracker issue discussing the same problem and
closed with "won't fix":

http://bugs.python.org/issue946373

Strange enough, but implied from reading above issue, just an
idea (don't shoot :)). Wouldn't it be possible to recognize,
if the module name the script | embedded application is trying
to load belongs to && conflicts with the 'standard' Python module
names as listed in:

  http://docs.python.org/modindex.html

and in that case:
  a, issue a warning by loading it?
  b, refuse to import it, in case it doesn't come from usual
 standard Python modules location?

Probably off-topic, but is there in Python some mechanism how to
determine, if the module / module name belongs to:
  a, 'standard Python module set' or
  b, is a custom module, written by Python user?
 (via the Python's interpreter __main__ module's namespace
  dictionary? -- based on [1])

[1] http://www.linuxjournal.com/article/8497

--

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-04-14 Thread Jan Lieskovsky 

New submission from Jan Lieskovsky :

Common Vulnerabilities and Exposures assigned an identifier
CVE-2008-5983 (and related CVE ids) to the following vulnerability:

Untrusted search path vulnerability in the PySys_SetArgv API function in
Python 2.6 and earlier, and possibly later versions, prepends an empty
string to sys.path when the argv[0] argument does not contain a path
separator, which might allow local users to execute arbitrary code via a
Trojan horse Python file in the current working directory. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5984
https://bugzilla.redhat.com/show_bug.cgi?id=481551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5986
https://bugzilla.redhat.com/show_bug.cgi?id=481550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5987
https://bugzilla.redhat.com/show_bug.cgi?id=481553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0314
http://bugzilla.gnome.org/show_bug.cgi?id=569214
https://bugzilla.redhat.com/show_bug.cgi?id=481556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0315 
https://bugzilla.redhat.com/show_bug.cgi?id=481560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0316
https://bugzilla.redhat.com/show_bug.cgi?id=481565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0317
https://bugzilla.redhat.com/show_bug.cgi?id=481570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0318
https://bugzilla.redhat.com/show_bug.cgi?id=481572

--
components: Interpreter Core
files: python-CVE-2009-5983.patch
keywords: patch
messages: 85965
nosy: iankko
severity: normal
status: open
title: CVE-2008-5983 python: untrusted python modules search path
type: security
versions: Python 3.1
Added file: http://bugs.python.org/file13685/python-CVE-2009-5983.patch

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-04-14 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

To sum up the behavior, the following table displays whether
modules are read from the current working directory for various
ways how the python scripts can be launched (unfixed/fixed version):

unfixed   fixed   run as
~~~
yes   no  python test.py
yes   no  python ./test.py
yes   no  python /tmp/396/test.py
yes   no  /bin/env python test.py

yes   yes test.py
yes   yes ./test.py
yes   yes /tmp/396/test.py
yes   yes /usr/bin/python test.py
yes   yes /usr/bin/python ./test.py
yes   yes /usr/bin/python /tmp/396/test.py

nono  test-in-different-dir.py
nono  ./bin/test-in-different-dir.py
nono  python ./bin/test-in-different-dir.py

--

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-04-14 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

As no longer work of "python ./foo.py" after patch utilization may
cause, the update won't be acceptable, could you guys review the
above patch and potentially provide an another one?

--

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-04-14 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

Just drop into /tmp and run (you will need the zenity package installed):

python3.1 ./test.py 

or

gedit# unfixed gedit

in that directory.

--
Added file: http://bugs.python.org/file13686/py_umspath_test.tar.gz

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2587] PyString_FromStringAndSize() to be considered unsafe

2009-04-29 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

Hello guys,

  if I didn't overlook something pretty obvious, this should work
with python-2.6, but it crashes.

Could you please have a look?

Thanks, Jan.
--
Jan iankko Lieskovsky

--
nosy: +iankko
Added file: http://bugs.python.org/file13815/fromStringAndSize.c

___
Python tracker 
<http://bugs.python.org/issue2587>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5753] CVE-2008-5983 python: untrusted python modules search path

2009-05-05 Thread Jan Lieskovsky 

Jan Lieskovsky  added the comment:

Antoine,

  (re: #msg87083, #msg87084) -- while the API change is acceptable and
reasonable, it doesn't solve the core of the problem. I understand
the change needs to be 'backward compatible' and shouldn't break
the existing Python behavior, but the current proposed patch:

1, doesn't avoid the need to fix the issue (by calling
"PySys_SetArgvEx(argc, argv, 0);") in all current applications embedding
Python,

2, doesn't dismiss the risk of future appearance of application, 
embedding Python interpreter and using it in a vulnerable way
(in fact, all what it does, is adding recommendation / alternative
to use more safer PySys_SetArgv(*, *, 0) for such cases. I don't think
we can just rely on the fact, the developers will use it in a safe
way in the future -- or did I overlooked something?

Wouldn't be possible to fix it 'only in Python' and prevent such
potential future malicious (mis)uses?

To Martin (re: #msg87212):

What's the question of 'security nature' of the issue, Glyph in
message #msg86927 already uncovered potential implications --
if the application was written either 'by accident', or 'by intention',
it shouldn't just allow to execute anything with the privileges of
superuser, and even worse, doing it silently (then the only warranty
for the unprivileged user would be to rely on the fact, the function
was called 'in a safe way' in the application and I suppose such
assumption would completely discourage him from running it).

I recommend the final fix should be applied to all active Python
branches (just comment on second part of Martin's comment).

Regards, Jan.

--

___
Python tracker 
<http://bugs.python.org/issue5753>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6402] Crash after attempt to set the error indicator via PyErr_SetString()

2009-07-02 Thread Jan Lieskovsky 

New submission from Jan Lieskovsky :

Hello guys,

  i am experiencing segmentation fault, when trying to set the
error indicator via the PyErr_SetString() method called from C source.
This occurs for all Python exceptions, as documented in:

http://docs.python.org/c-api/exceptions.html

Checked Python-2.6.2, also Python-2.4.1 - the crash is present
there (wondering what's wrong with the provided reproducer).

Scenario:

tar xvzf pyexceptions-sample.tar.gz
cd pyexceptions-sample
make
./pyexceptionssample -> 
Segmentation fault (core dumped)

Note: Doesn't matter if compiled with libpython2.6.a or libpython2.4.so,
  the crash is still there.

Here is the most interesting part of the backtrace (the whole
coredump also attached).

gdb ./pyexceptions-sample core.31283

Core was generated by `./pyexceptions-sample'.
Program terminated with signal 11, Segmentation fault.
[New process 31283]
#0  PyErr_Restore (type=0x600058f0, value=0x20435030,
traceback=0x0) at Python/errors.c:39
39  oldtype = tstate->curexc_type;

(gdb) bt
#0  PyErr_Restore (type=0x600058f0, value=0x20435030,
traceback=0x0) at Python/errors.c:39
#1  0x40125180 in PyErr_SetString (exception=0x600058f0,
string=) at Python/errors.c:57
#2  0x40005eb0 in check_value ()
#3  0x40006670 in main ()

(gdb) info args
type = (PyObject *) 0x600058f0
value = (PyObject *) 0x20435030
traceback = (PyObject *) 0x0

(gdb) info locals
tstate = (PyThreadState *) 0x0
oldtype = 
oldvalue = 
oldtraceback = 

(Looks like NULL ptr dereference in tstate = (PyThreadState *)).

Could you please have a look?

Thanks && regards, Jan.
--
Jan iankko Lieskovsky

--
components: Interpreter Core
files: pyexceptions-sample.tar.gz
messages: 90026
nosy: iankko
severity: normal
status: open
title: Crash after attempt to set the error indicator via PyErr_SetString()
type: crash
versions: Python 2.4, Python 2.5, Python 2.6
Added file: http://bugs.python.org/file14428/pyexceptions-sample.tar.gz

___
Python tracker 
<http://bugs.python.org/issue6402>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6402] Crash after attempt to set the error indicator via PyErr_SetString()

2009-07-02 Thread Jan Lieskovsky 

Changes by Jan Lieskovsky :


Added file: http://bugs.python.org/file14429/core.31283.bz2

___
Python tracker 
<http://bugs.python.org/issue6402>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6402] Crash after attempt to set the error indicator via PyErr_SetString()

2009-07-02 Thread Jan Lieskovsky 

Changes by Jan Lieskovsky :


--
nosy: +benjamin.peterson, gregory.p.smith, pitrou, psss

___
Python tracker 
<http://bugs.python.org/issue6402>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17980] CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names

2013-05-16 Thread Jan Lieskovsky 

Jan Lieskovsky added the comment:

The CVE identifier of CVE-2013-2099 has been assigned:
  http://www.openwall.com/lists/oss-security/2013/05/16/6

to this issue.

--
nosy: +iankko
title: ssl.match_hostname() trips over crafted wildcard names -> CVE-2013-2099 
ssl.match_hostname() trips over crafted wildcard names

___
Python tracker 
<http://bugs.python.org/issue17980>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com