[Patches] [ python-Patches-703471 ] (Security Problem) base64.decodestring exposes garbage value

SourceForge.net noreply@sourceforge.net
Fri, 14 Mar 2003 09:14:34 -0800 

Patches item #703471, was opened at 2003-03-14 03:18
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=703471&group_id=5470

Category: Library (Lib)
Group: Python 2.3
Status: Open
Resolution: None
Priority: 8
Submitted By: Hye-Shik Chang (perky)
Assigned to: Thomas Wouters (twouters)
Summary: (Security Problem) base64.decodestring exposes garbage value

Initial Comment:
>>> import base64
>>> base64.decodestring("###################")
'\x0cD\x1a\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
>>> base64.decodestring(".....")
'ps2\x00\x00t'
>>> base64.decodestring("........................")
'\x0cF\x1a\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
>>>
base64.decodestring(".................................................")
'.............................."\x00\x00\x00\x00\x00\x00\x00\x00'

This exposes unexpected values that deallocated recently.
(some my cgi script showed garbage that contains a
database password in offensive query)


----------------------------------------------------------------------

>Comment By: Tim Peters (tim_one)
Date: 2003-03-14 12:14

Message:
Logged In: YES 
user_id=31435

The thing I'm worried about is that _PyString_Resize must 
not be called on a string that's empty to begin with (resizing 
will fail because the empty string is shared, and the resize 
routine checks for that).

The *last* patch to this function inserted the bin_len > 0 test 
for what appears to be that very reason -- but that also 
created the problem we're seeing now.

----------------------------------------------------------------------

Comment By: Thomas Wouters (twouters)
Date: 2003-03-14 12:07

Message:
Logged In: YES 
user_id=34209

Ah, it is not. I'll see about fixing it (and writing the
testcase etc etc yahdah yahdah.)


----------------------------------------------------------------------

Comment By: Tim Peters (tim_one)
Date: 2003-03-14 12:05

Message:
Logged In: YES 
user_id=31435

I raised the priority so someone would look at it.  That part 
worked <wink>.  I'm unsure about the patch, but don't have 
time to explain that now.

----------------------------------------------------------------------

Comment By: Thomas Wouters (twouters)
Date: 2003-03-14 11:48

Message:
Logged In: YES 
user_id=34209

The patch seems to me to be the correct fix. Did you have a
reason to raise the priority but not check it in, Tim ?


----------------------------------------------------------------------

Comment By: Tim Peters (tim_one)
Date: 2003-03-14 10:19

Message:
Logged In: YES 
user_id=31435

Yikes!  Boosted priority way up.  A quick check shows that 
my Python 2.2.2 also appears to "decode" free'd RAM here 
on Windows.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=703471&group_id=5470