Ubuntu
pygdchart2 package

  1. Bug #395204
  2. Comment #11

Comment 11 for bug 395204

Revision history for this message
Adrian Perez (adrianperez-deb) wrote : Re: [Bug 395204] Re: python-gdchart causes python to crash

Actually, it's up to you people to flag it as a sec-vuln or not. But as
far as I can see that strcpy is the old known buffer overflow
vulnerable. Since gcc and stackshield protection are effectively taking
off the process, no one can tell if in the future (or know) someone will
circunvent that protection, which mean that users could be trigerred
with a malicious script that takes control of their machine at some
level. It's a low security vulnerability from my point of view, since it
only affects a specific environment and not it's default configuration,
and it's not a network service. As I said, it's up to you to say.

On Fri, 2009-07-10 at 21:08 +0000, Kees Cook wrote:
> It seems that PyString_Size and PyString_AsString aren't getting along?
>
> slen = PyString_Size(pstr);
> if (slen = 0)
> goto cleanup;
> mem = malloc((size_t)slen+1);
> if (mem == NULL){
> PyErr_NoMemory();
> goto cleanup;
> }
> char *fun = PyString_AsString(pstr);
> printf("slen:%d strlen(fun):%d\n", slen, strlen(fun));
> strcpy(mem, PyString_AsString(pstr));
>
> This prints:
> slen:0 strlen(fun):1
>
> with the above example script. Perhaps it should be using
> PyString_AsStringAndSize ? Or just use strdup...
>
> Regardless, this does not appear to be a security issue, but a "normal"
> bug. Thanks for the backtrace and details!
>
> ** Visibility changed to: Public
>
> ** This bug is no longer flagged as a security vulnerability
>
> --
> python-gdchart causes python to crash
> https://bugs.launchpad.net/bugs/395204
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “pygdchart2” package in Ubuntu: Confirmed
> Status in “pygdchart2” package in Debian: Unknown
>
> Bug description:
> Binary package hint: python-gdchart
>
> Hello, I was stepping through some gdchart examples, and suddenly
> came into this.
> There's probably a bug in gdchart which almost led to segfault
> (smashing detected), the version says beta, but since it makes
> stable python to crash then I think it should at least be
> reported.
>
> ubuntu version: Ubuntu 9.04
> python version: 2.6.2-0ubuntu1
> python-gdchart2 version: 0.beta1-3.4build1
>
> How to reproduce:
>
> sudo apt-get install python-gdchart2
>
> crashes.py:
> #!/usr/bin/env python
> import gdchart
>
> def crashes():
> chart = gdchart.Bar()
> chart.width = 400
> chart.height = 400
> chart.bg_color = 'white'
> chart.plot_color = 'black'
> chart.xtitle = "Blah"
> chart.ytitle = "Blah"
> chart.title = "Blah"
> chart.setData([100, 200, 300, 400])
> chart.setLabels(['1', '2', '3', '4'])
> chart.draw('test.png')
>
> if __name__ == '__main__':
> crashes()
>
> Stacktrace:
>
> In [14]: chart.draw('test.png')
> *** buffer overflow detected ***: /usr/bin/python terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x4b)[0xb7f3daab]
> /lib/libc.so.6[0xb7f3baf0]
> /lib/libc.so.6(__strcpy_chk+0x44)[0xb7f3ae24]
> /var/lib/python-support/python2.6/_gdchartc.so(getStringsFromSequence+0xa7)[0xb79f69f7]
> /var/lib/python-support/python2.6/_gdchartc.so(pygd_out_graph+0x110)[0xb79f6c10]
> /usr/bin/python(PyEval_EvalFrameEx+0x4d82)[0x80de562]
> /usr/bin/python(PyEval_EvalFrameEx+0x5da7)[0x80df587]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalFrameEx+0x46da)[0x80ddeba]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
> /usr/bin/python(PyEval_EvalFrameEx+0x5da7)[0x80df587]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
> /usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
> /usr/bin/python(PyEval_EvalCode+0x57)[0x80e0217]
> /usr/bin/python(PyRun_FileExFlags+0x121)[0x80fe0e1]
> /usr/bin/python(PyRun_SimpleFileExFlags+0x1da)[0x80fe43a]
> /usr/bin/python(Py_Main+0xcb2)[0x805c882]
> /usr/bin/python(main+0x22)[0x805b972]
> /lib/libc.so.6(__libc_start_main+0xe5)[0xb7e6d7a5]
> /usr/bin/python[0x805b8b1]
> ======= Memory map: ========
> 08048000-08225000 r-xp 00000000 08:11 112720 /usr/bin/python2.6
> 08225000-08226000 r--p 001dc000 08:11 112720 /usr/bin/python2.6
> 08226000-08273000 rw-p 001dd000 08:11 112720 /usr/bin/python2.6
> 08273000-0827c000 rw-p 08273000 00:00 0
> 09b1f000-09f36000 rw-p 09b1f000 00:00 0 [heap]
> b78a2000-b78cc000 r-xp 00000000 08:11 194006 /lib/libgcc_s.so.1
> b78cc000-b78cd000 r--p 00029000 08:11 194006 /lib/libgcc_s.so.1
> b78cd000-b78ce000 rw-p 0002a000 08:11 194006 /lib/libgcc_s.so.1
> b78ce000-b7940000 r-xp 00000000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
> b7940000-b7944000 r--p 00071000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
> b7944000-b7945000 rw-p 00075000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
> b7945000-b7964000 r-xp 00000000 08:11 113951 /usr/lib/libjpeg.so.62.0.0
> b7964000-b7965000 rw-p 0001e000 08:11 113951 /usr/lib/libjpeg.so.62.0.0
> b7965000-b7989000 r-xp 00000000 08:11 114115 /usr/lib/libpng12.so.0.27.0
> b7989000-b798a000 r--p 00023000 08:11 114115 /usr/lib/libpng12.so.0.27.0
> b798a000-b798b000 rw-p 00024000 08:11 114115 /usr/lib/libpng12.so.0.27.0
> b798b000-b79a8000 r-xp 00000000 08:11 113656 /usr/lib/libgd.so.2.0.0
> b79a8000-b79a9000 r--p 0001c000 08:11 113656 /usr/lib/libgd.so.2.0.0
> b79a9000-b79c8000 rw-p 0001d000 08:11 113656 /usr/lib/libgd.so.2.0.0
> b79c8000-b79cc000 rw-p b79c8000 00:00 0
> b79cc000-b79e1000 r-xp 00000000 08:11 114471 /usr/lib/libgdc.so.0.11.5
> b79e1000-b79e2000 r--p 00014000 08:11 114471 /usr/lib/libgdc.so.0.11.5
> b79e2000-b79e3000 rw-p 00015000 08:11 114471 /usr/lib/libgdc.so.0.11.5
> b79f3000-b79fa000 r-xp 00000000 08:11 138795 /usr/lib/python-support/python-gdchart2/python2.6/_gdchartc.so
> b79fa000-b79fb000 r--p 00006000 08:11 138795 /usr/lib/python-support/python-gdchart2/python2.6/_gdchartc.so
> b79fb000-b79fc000 rw-p 00007000 08:11 138795 /usr/lib/python-support/python-gdchart2/python2.6/_gdchartc.so
> b79fc000-b7a14000 r-xp 00000000 08:11 178659 /usr/lib/python2.6/lib-dynload/_ctypes.so
> b7a14000-b7a15000 r--p 00017000 08:11 178659 /usr/lib/python2.6/lib-dynload/_ctypes.so
> b7a15000-b7a18000 rw-p 00018000 08:11 178659 /usr/lib/python2.6/lib-dynload/_ctypes.so
> b7a18000-b7a4b000 r-xp 00000000 08:11 195869 /lib/libncurses.so.5.7
> b7a4b000-b7a4d000 r--p 00033000 08:11 195869 /lib/libncurses.so.5.7
> b7a4d000-b7a4e000 rw-p 00035000 08:11 195869 /lib/libncurses.so.5.7
> b7a4e000-b7a7a000 r-xp 00000000 08:11 191740 /lib/libreadline.so.5.2
> b7a7a000-b7a7b000 ---p 0002c000 08:11 191740 /lib/libreadline.so.5.2
> b7a7b000-b7a7c000 r--p 0002c000 08:11 191740 /lib/libreadline.so.5.2
> b7a7c000-b7a7f000 rw-p 0002d000 08:11 191740 /lib/libreadline.so.5.2
> b7a7f000-b7a80000 rw-p b7a7f000 00:00 0
> b7a88000-b7a8e000 r-xp 00000000 08:11 178673 /usr/lib/python2.6/lib-dynload/_ssl.so
> b7a8e000-b7a8f000 r--p 00006000 08:11 178673 Aborted
 --
Best regards,

Adrian Perez <email address hidden>