Buffer overflow in Python (de)compression module
A hole in the zlib (de)compression module under Python is said to allow attackers to gain control of a system. According to reports the flaw is located in a function (flush) for deleting a decompression stream in which the amount of data to be deleted can be determined via a parameter. However, parameter values are not verified. A buffer overflow can be caused by submitting a negative value, allowing code to be injected and executed. A compromised application may also just crash.
Although the security hole is classified as critical by Justin Ferguson from IOActive who found the bug, his report doesn't give clear details about how the vulnerability can be triggered remotely. While the zlib module processes compression and decompression related user input, it is unlikely that the deletion parameter submitted to the compromised flush() method will be derived from user input to a web application.
The flaw was detected in Python version 2.5.2, but other versions are also likely to be affected. The developers of Python have already fixed the problem in the subversion repository.
See also:
- Integer signedness bugs in zlib modules, entry in Python problem database
- Buffer overflow in Python zlib extension module , security advisory by Justin Ferguson
(mba)