Ubuntu
pygdchart2 package

python-gdchart causes python to crash

Bug #395204 reported by Adrian Perez
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pygdchart2 (Debian)
Fix Released
Unknown
pygdchart2 (Ubuntu)
Fix Released
Low
Kees Cook

Bug Description

Binary package hint: python-gdchart

Hello, I was stepping through some gdchart examples, and suddenly
came into this.
There's probably a bug in gdchart which almost led to segfault
(smashing detected), the version says beta, but since it makes
stable python to crash then I think it should at least be
reported.

ubuntu version: Ubuntu 9.04
python version: 2.6.2-0ubuntu1
python-gdchart2 version: 0.beta1-3.4build1

How to reproduce:

sudo apt-get install python-gdchart2

crashes.py:
#!/usr/bin/env python
import gdchart

def crashes():
    chart = gdchart.Bar()
    chart.width = 400
    chart.height = 400
    chart.bg_color = 'white'
    chart.plot_color = 'black'
    chart.xtitle = "Blah"
    chart.ytitle = "Blah"
    chart.title = "Blah"
    chart.setData([100, 200, 300, 400])
    chart.setLabels(['1', '2', '3', '4'])
    chart.draw('test.png')

if __name__ == '__main__':
    crashes()

Stacktrace:

In [14]: chart.draw('test.png')
*** buffer overflow detected ***: /usr/bin/python terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4b)[0xb7f3daab]
/lib/libc.so.6[0xb7f3baf0]
/lib/libc.so.6(__strcpy_chk+0x44)[0xb7f3ae24]
/var/lib/python-support/python2.6/_gdchartc.so(getStringsFromSequence+0xa7)[0xb79f69f7]
/var/lib/python-support/python2.6/_gdchartc.so(pygd_out_graph+0x110)[0xb79f6c10]
/usr/bin/python(PyEval_EvalFrameEx+0x4d82)[0x80de562]
/usr/bin/python(PyEval_EvalFrameEx+0x5da7)[0x80df587]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x46da)[0x80ddeba]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalFrameEx+0x5da7)[0x80df587]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalCode+0x57)[0x80e0217]
/usr/bin/python(PyRun_FileExFlags+0x121)[0x80fe0e1]
/usr/bin/python(PyRun_SimpleFileExFlags+0x1da)[0x80fe43a]
/usr/bin/python(Py_Main+0xcb2)[0x805c882]
/usr/bin/python(main+0x22)[0x805b972]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb7e6d7a5]
/usr/bin/python[0x805b8b1]
======= Memory map: ========
08048000-08225000 r-xp 00000000 08:11 112720 /usr/bin/python2.6
08225000-08226000 r--p 001dc000 08:11 112720 /usr/bin/python2.6
08226000-08273000 rw-p 001dd000 08:11 112720 /usr/bin/python2.6
08273000-0827c000 rw-p 08273000 00:00 0
09b1f000-09f36000 rw-p 09b1f000 00:00 0 [heap]
b78a2000-b78cc000 r-xp 00000000 08:11 194006 /lib/libgcc_s.so.1
b78cc000-b78cd000 r--p 00029000 08:11 194006 /lib/libgcc_s.so.1
b78cd000-b78ce000 rw-p 0002a000 08:11 194006 /lib/libgcc_s.so.1
b78ce000-b7940000 r-xp 00000000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
b7940000-b7944000 r--p 00071000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
b7944000-b7945000 rw-p 00075000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
b7945000-b7964000 r-xp 00000000 08:11 113951 /usr/lib/libjpeg.so.62.0.0
b7964000-b7965000 rw-p 0001e000 08:11 113951 /usr/lib/libjpeg.so.62.0.0
b7965000-b7989000 r-xp 00000000 08:11 114115 /usr/lib/libpng12.so.0.27.0
b7989000-b798a000 r--p 00023000 08:11 114115 /usr/lib/libpng12.so.0.27.0
b798a000-b798b000 rw-p 00024000 08:11 114115 /usr/lib/libpng12.so.0.27.0
b798b000-b79a8000 r-xp 00000000 08:11 113656 /usr/lib/libgd.so.2.0.0
b79a8000-b79a9000 r--p 0001c000 08:11 113656 /usr/lib/libgd.so.2.0.0
b79a9000-b79c8000 rw-p 0001d000 08:11 113656 /usr/lib/libgd.so.2.0.0
b79c8000-b79cc000 rw-p b79c8000 00:00 0
b79cc000-b79e1000 r-xp 00000000 08:11 114471 /usr/lib/libgdc.so.0.11.5
b79e1000-b79e2000 r--p 00014000 08:11 114471 /usr/lib/libgdc.so.0.11.5
b79e2000-b79e3000 rw-p 00015000 08:11 114471 /usr/lib/libgdc.so.0.11.5
b79f3000-b79fa000 r-xp 00000000 08:11 138795 /usr/lib/python-support/python-gdchart2/python2.6/_gdchartc.so
b79fa000-b79fb000 r--p 00006000 08:11 138795 /usr/lib/python-support/python-gdchart2/python2.6/_gdchartc.so
b79fb000-b79fc000 rw-p 00007000 08:11 138795 /usr/lib/python-support/python-gdchart2/python2.6/_gdchartc.so
b79fc000-b7a14000 r-xp 00000000 08:11 178659 /usr/lib/python2.6/lib-dynload/_ctypes.so
b7a14000-b7a15000 r--p 00017000 08:11 178659 /usr/lib/python2.6/lib-dynload/_ctypes.so
b7a15000-b7a18000 rw-p 00018000 08:11 178659 /usr/lib/python2.6/lib-dynload/_ctypes.so
b7a18000-b7a4b000 r-xp 00000000 08:11 195869 /lib/libncurses.so.5.7
b7a4b000-b7a4d000 r--p 00033000 08:11 195869 /lib/libncurses.so.5.7
b7a4d000-b7a4e000 rw-p 00035000 08:11 195869 /lib/libncurses.so.5.7
b7a4e000-b7a7a000 r-xp 00000000 08:11 191740 /lib/libreadline.so.5.2
b7a7a000-b7a7b000 ---p 0002c000 08:11 191740 /lib/libreadline.so.5.2
b7a7b000-b7a7c000 r--p 0002c000 08:11 191740 /lib/libreadline.so.5.2
b7a7c000-b7a7f000 rw-p 0002d000 08:11 191740 /lib/libreadline.so.5.2
b7a7f000-b7a80000 rw-p b7a7f000 00:00 0
b7a88000-b7a8e000 r-xp 00000000 08:11 178673 /usr/lib/python2.6/lib-dynload/_ssl.so
b7a8e000-b7a8f000 r--p 00006000 08:11 178673 Aborted

See original description
Tags: segfault

Related branches

lp:ubuntu/lucid/pygdchart2
Revision history for this message
In , Jonas Smedegaard (dr) wrote : Re: Bug#301563: python2.3-gdchart2: Segfault with names longer than 8 chars - Bar3D()

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nullcube,

I am the package maintainer for pygdchart in Debian.

Please have a look at the bugreport below...

Kind regards,

 - Jonas

On 26-03-2005 21:36, fip wrote:
> Package: python2.3-gdchart2
> Version: 0.beta1-1
> Severity: normal
>
> Hi!
>
> Bug should be easily reproducible.
>
>
> import gdchart
> Bar = gdchart.Bar3D()
> Bar.title = "Trinkmengen"
> Bar.width = 250
> Bar.height = 250
> Bar.setData([prozent_alko, prozent_suppe, prozent_nicht_alko])
> Bar.ytitle = "Prozent"
>
> Bar.setLabels(["Alkohol", "Suppe", "Fooooooooooooooo"]) ##Achtung buggy "Zwischenmahlzeit ist zu lang!!! segfa
>
> Bar.ext_color = ["blue", "red", "green"]
> Bar.draw(outfile)
>
>
> Resuming, with longer lables (8+) you'll get a segfault.
>
> Regards,
>
> mh

- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

 - Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCRzk6n7DbMsAkQLgRAsPKAKCSyL/INHFlyMWE3zyNYojyV1m2yQCfXe58
v+ItE2JxOe4pr3DFS8IjpWI=
=5RiK
-----END PGP SIGNATURE-----

Revision history for this message
In , Martin (debacle) wrote : Segfault with names longer than 11 chars - Pie/Pie3D()

Very similar to the original bug report, just another
constructor and three characters more until it segfaults:

import gdchart

myPie = gdchart.Pie3D()
myPie.width = 250
myPie.height = 250
myPie.title = "Pie3D"
myPie.setData(1, 2, 3, 4, 5)
myPie.setLabels(["One123456789", "Two", "Three", "Four", "Five"])
myPie.color = ["red", "green", "yellow", "orange", "blue"]
myPie.explode = [0, 0, 20, 0, 0]
myPie.draw("pie3D.png")

(as http://www.nullcube.com/software/pygdchart2/doc/pies.html,
but with longer first label)

Cheers, WB

Revision history for this message
In , John Eikenberry (jae) wrote : Fixed. python2.3-gdchart2: Segfault with names longer than 8 chars

Package: python2.3-gdchart2
Version: 0.beta1-3ubuntu1
Followup-For: Bug #301563

Using Ubuntu currently, so this was actually fixed and tested on that
system. But it is still debian so...

I tested this fix with both python2.3 and python2.4. It was a classic
mistake of using '=' instead of '==' in a conditional. Unified diff
attached that fixes the issue.

-- System Information:
Debian Release: testing/unstable
  APT prefers dapper-updates
  APT policy: (990, 'dapper-updates'), (990, 'dapper-security'), (990, 'dapper-backports'), (990, 'dapper')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-27-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages python2.3-gdchart2 depends on:
ii libc6 2.3.6-0ubuntu20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.10-1ubuntu2.2 FreeType 2 font engine, shared lib
ii libgd2-xpm 2.0.33-2ubuntu5.1 GD Graphics Library version 2
ii libgdchart-gd2-xpm 0.11.5-3 Generate graphs using the GD libra
ii libjpeg62 6b-11 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.8rel-5 PNG library - runtime
ii python2.3 2.3.5-9ubuntu1.2 An interactive high-level object-o
ii zlib1g 1:1.2.3-6ubuntu4 compression library - runtime

python2.3-gdchart2 recommends no packages.

-- no debconf information

Revision history for this message
In , Marco Rodrigues (gothicx-sapo) wrote : reassign 301563 to pygdchart2

# Automatically generated email from bts, devscripts version 2.10.26ubuntu7~hardy1
reassign 301563 pygdchart2

Revision history for this message
Adrian Perez (adrianperez-deb) wrote :
Download full text (5.3 KiB)

Binary package hint: python-gdchart

Hello, I was stepping through some gdchart examples, and suddenly
came into this.
There's probably a bug in gdchart which almost led to segfault
(smashing detected), the version says beta, but since it makes
stable python to crash then I think it should at least be
reported.

ubuntu version: Ubuntu 9.04
python version: 2.6.2-0ubuntu1
python-gdchart2 version: 0.beta1-3.4build1

How to reproduce:

sudo apt-get install python-gdchart2

crashes.py:
#!/usr/bin/env python
import gdchart

def crashes():
    chart = gdchart.Bar()
    chart.width = 400
    chart.height = 400
    chart.bg_color = 'white'
    chart.plot_color = 'black'
    chart.xtitle = "Blah"
    chart.ytitle = "Blah"
    chart.title = "Blah"
    chart.setData([100, 200, 300, 400])
    chart.setLabels(['1', '2', '3', '4'])
    chart.draw('test.png')

if __name__ == '__main__':
    crashes()

Stacktrace:

In [14]: chart.draw('test.png')
*** buffer overflow detected ***: /usr/bin/python terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4b)[0xb7f3daab]
/lib/libc.so.6[0xb7f3baf0]
/lib/libc.so.6(__strcpy_chk+0x44)[0xb7f3ae24]
/var/lib/python-support/python2.6/_gdchartc.so(getStringsFromSequence+0xa7)[0xb79f69f7]
/var/lib/python-support/python2.6/_gdchartc.so(pygd_out_graph+0x110)[0xb79f6c10]
/usr/bin/python(PyEval_EvalFrameEx+0x4d82)[0x80de562]
/usr/bin/python(PyEval_EvalFrameEx+0x5da7)[0x80df587]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x46da)[0x80ddeba]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalFrameEx+0x5da7)[0x80df587]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalFrameEx+0x4e18)[0x80de5f8]
/usr/bin/python(PyEval_EvalCodeEx+0x7a8)[0x80e00b8]
/usr/bin/python(PyEval_EvalCode+0x57)[0x80e0217]
/usr/bin/python(PyRun_FileExFlags+0x121)[0x80fe0e1]
/usr/bin/python(PyRun_SimpleFileExFlags+0x1da)[0x80fe43a]
/usr/bin/python(Py_Main+0xcb2)[0x805c882]
/usr/bin/python(main+0x22)[0x805b972]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb7e6d7a5]
/usr/bin/python[0x805b8b1]
======= Memory map: ========
08048000-08225000 r-xp 00000000 08:11 112720 /usr/bin/python2.6
08225000-08226000 r--p 001dc000 08:11 112720 /usr/bin/python2.6
08226000-08273000 rw-p 001dd000 08:11 112720 /usr/bin/python2.6
08273000-0827c000 rw-p 08273000 00:00 0
09b1f000-09f36000 rw-p 09b1f000 00:00 0 [heap]
b78a2000-b78cc000 r-xp 00000000 08:11 194006 /lib/libgcc_s.so.1
b78cc000-b78cd000 r--p 00029000 08:11 194006 /lib/libgcc_s.so.1
b78cd000-b78ce000 rw-p 0002a000 08:11 194006 /lib/libgcc_s.so.1
b78ce000-b7940000 r-xp 00000000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
b7940000-b7944000 r--p 00071000 08:11 115566 /usr/lib/libfreetype.so.6.3.20
b7944000-b794...

Read more...

Revision history for this message
Adrian Perez (adrianperez-deb) wrote :
Revision history for this message
Adrian Perez (adrianperez-deb) wrote :

BTW homepage says that v0.11.5 is available.

Kees Cook (kees)
affects: python-gdchart (Ubuntu) → pygdchart2 (Ubuntu)
Changed in pygdchart2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

It seems that PyString_Size and PyString_AsString aren't getting along?

        slen = PyString_Size(pstr);
        if (slen = 0)
            goto cleanup;
        mem = malloc((size_t)slen+1);
        if (mem == NULL){
            PyErr_NoMemory();
            goto cleanup;
        }
        char *fun = PyString_AsString(pstr);
        printf("slen:%d strlen(fun):%d\n", slen, strlen(fun));
        strcpy(mem, PyString_AsString(pstr));

This prints:
slen:0 strlen(fun):1

with the above example script. Perhaps it should be using PyString_AsStringAndSize ? Or just use strdup...

Regardless, this does not appear to be a security issue, but a "normal" bug. Thanks for the backtrace and details!

security vulnerability: yes → no
visibility: private → public
Revision history for this message
In , Kees Cook (kees) wrote : fix for segfault

Tags: patch
User: <email address hidden>
Usertags: origin-ubuntu karmic ubuntu-patch

Hello,

This was also reported to Ubuntu:
https://bugs.launchpad.net/bugs/395204

The attached patch fixes the issue.

Thanks,

-Kees

--
Kees Cook @debian.org

Changed in pygdchart2 (Ubuntu):
assignee: nobody → Kees Cook (kees)
importance: Undecided → Low
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in pygdchart2 (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pygdchart2 - 0.beta1-3.4ubuntu1

---------------
pygdchart2 (0.beta1-3.4ubuntu1) karmic; urgency=low

  * _gdchartc.c: fix string size allocation error (LP: #395204,
    debian bug 301563).

 -- Kees Cook <email address hidden> Fri, 10 Jul 2009 13:48:40 -0700

Changed in pygdchart2 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Adrian Perez (adrianperez-deb) wrote : Re: [Bug 395204] Re: python-gdchart causes python to crash
Download full text (7.4 KiB)

Actually, it's up to you people to flag it as a sec-vuln or not. But as
far as I can see that strcpy is the old known buffer overflow
vulnerable. Since gcc and stackshield protection are effectively taking
off the process, no one can tell if in the future (or know) someone will
circunvent that protection, which mean that users could be trigerred
with a malicious script that takes control of their machine at some
level. It's a low security vulnerability from my point of view, since it
only affects a specific environment and not it's default configuration,
and it's not a network service. As I said, it's up to you to say.

On Fri, 2009-07-10 at 21:08 +0000, Kees Cook wrote:
> It seems that PyString_Size and PyString_AsString aren't getting along?
>
> slen = PyString_Size(pstr);
> if (slen = 0)
> goto cleanup;
> mem = malloc((size_t)slen+1);
> if (mem == NULL){
> PyErr_NoMemory();
> goto cleanup;
> }
> char *fun = PyString_AsString(pstr);
> printf("slen:%d strlen(fun):%d\n", slen, strlen(fun));
> strcpy(mem, PyString_AsString(pstr));
>
> This prints:
> slen:0 strlen(fun):1
>
> with the above example script. Perhaps it should be using
> PyString_AsStringAndSize ? Or just use strdup...
>
> Regardless, this does not appear to be a security issue, but a "normal"
> bug. Thanks for the backtrace and details!
>
> ** Visibility changed to: Public
>
> ** This bug is no longer flagged as a security vulnerability
>
> --
> python-gdchart causes python to crash
> https://bugs.launchpad.net/bugs/395204
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “pygdchart2” package in Ubuntu: Confirmed
> Status in “pygdchart2” package in Debian: Unknown
>
> Bug description:
> Binary package hint: python-gdchart
>
> Hello, I was stepping through some gdchart examples, and suddenly
> came into this.
> There's probably a bug in gdchart which almost led to segfault
> (smashing detected), the version says beta, but since it makes
> stable python to crash then I think it should at least be
> reported.
>
> ubuntu version: Ubuntu 9.04
> python version: 2.6.2-0ubuntu1
> python-gdchart2 version: 0.beta1-3.4build1
>
> How to reproduce:
>
> sudo apt-get install python-gdchart2
>
> crashes.py:
> #!/usr/bin/env python
> import gdchart
>
> def crashes():
> chart = gdchart.Bar()
> chart.width = 400
> chart.height = 400
> chart.bg_color = 'white'
> chart.plot_color = 'black'
> chart.xtitle = "Blah"
> chart.ytitle = "Blah"
> chart.title = "Blah"
> chart.setData([100, 200, 300, 400])
> chart.setLabels(['1', '2', '3', '4'])
> chart.draw('test.png')
>
> if __name__ == '__main__':
> crashes()
>
> Stacktrace:
>
> In [14]: chart.draw('test.png')
> *** buffer overflow detected ***: /usr/bin/python terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x4b)[0xb7f3daab]
> /lib/libc.so.6[0xb7f3baf0]
> /lib/libc.so.6(__strcpy_chk+0x44)[0xb7f3ae24]
> /var/lib/python-support/python2.6/_gdchartc.so(getStringsFromSequence+0xa7)[0xb79f69f7]
> /var/lib/python-su...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in pygdchart2 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.