Corrective releases of the Python 3.7.10 and 3.6.13 programming language are available that fix a vulnerability (CVE-2021-3177) that could lead to code execution when handling unchecked floating point numbers in handlers that call C functions using the ctypes mechanism . The problem also affects the Python 3.8 and 3.9 branches, but updates for them are still in the release candidate state (the release is scheduled for March 1).
The problem is caused by a buffer overflow in the PyCArg_repr() ctypes function due to the unsafe use of sprintf. In particular, to process the result of the transformation 'sprintf(buffer, " ", self->tag, self->value.b)' allocated a static buffer of 256 bytes ("char buffer[256]"), while the result could exceed this value. To test vulnerability applications, you can try to pass the value "1e300", which, when processed by the c_double.from_param method, will lead to a crash, since the resulting number contains 308 characters and does not fit in a 256-byte buffer. Problem code example: import ctypes; x = ctypes.c_double.from_param(1e300); repr(x)
The problem remains unfixed in Debian, Ubuntu and FreeBSD, but has already been fixed in Arch Linux, Fedora, SUSE. In RHEL, the vulnerability does not manifest itself due to the assembly of packages in the FORTIFY_SOURCE mode, which blocks such buffer overflows in string functions.
Source: opennet.ru