> I've found buffer overflow in Python 2.1.1 source code. (Maybe > there're many others) The buffer overflow is in the file traceback.c > in the directory Python of the Python source code. > > Simply there's a sprintf done in this way: > sprintf(linebuf,FMT,filename,lineno,name) What cause the overflow is > the name parameter which could be > 1000 (linebuf size) Alex Martelli > <aleaxat_private> has submitted the bug on sourceforge as 485175, and > produced the follow script to demostrate the overflow: Using the supplied script, I did achieve a segfault during the traceback with Python 2.1. However, I'm hardpressed to figure out how one would exploit this... After all, the Python binary is rarely SUID or SGID. (I know it's not on my system.) Is this a bug in the code? Yes. Is this a security concern? Right now, I'm inclined to say 'no'. However if it is, I would appreciate being told why. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician)
This archive was generated by hypermail 2b30 : Sun Nov 25 2001 - 20:44:16 PST