Launchpad CVE tracker

CVE 2021-3177

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

Related bugs and status

CVE-2021-3177 (Candidate) is related to these bugs:

Bug #1811531: remote execution vulnerability

		In	Importance	Status
1811531	remote execution vulnerability	zeromq3 (Ubuntu)	Undecided	Fix Released
1811531	remote execution vulnerability	zeromq3 (Debian)	Unknown	Fix Released
1811531	remote execution vulnerability	zeromq (Suse)	High	Fix Released

Bug #1916117: CVE-2021-3177 in python2.7

Summary				In	Importance	Status
	1916117	CVE-2021-3177 in python2.7		python2.7 (Ubuntu)	Undecided	Fix Released

Bug #1916480: CVE-2021-3177: buffer overflow when parsing floats

Summary				In	Importance	Status
	1916480	CVE-2021-3177: buffer overflow when parsing floats		python3.6 (Ubuntu)	Undecided	Confirmed
	1916480	CVE-2021-3177: buffer overflow when parsing floats		python3.8 (Ubuntu)	Undecided	Fix Released

Bug #1916893: Regression - upate python2.7 for cover CVE-2021-3177 modifying unicode parts cause serious regressions

Summary				In	Importance	Status
	1916893	Regression - upate python2.7 for cover CVE-2021-3177 modifying unicode parts cause serious regressions		python2.7 (Ubuntu)	Undecided	Fix Released

Bug #1987927: CVE: CVE-2021-3177 - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Summary				In	Importance	Status
	1987927	CVE: CVE-2021-3177 - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c		StarlingX	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2021-3177

References