Gyaran sakewa na yaren shirye-shiryen Python 3.7.10 da 3.6.13 suna samuwa, waɗanda ke gyara lahani (CVE-2021-3177) wanda zai iya haifar da aiwatar da code lokacin sarrafa lambobi masu iyo mara inganci a cikin masu amfani waɗanda ke kiran ayyukan C ta amfani da injin ctypes. . Matsalar kuma tana shafar rassan Python 3.8 da 3.9, amma sabuntawa a gare su har yanzu suna cikin sakin matsayin ɗan takara (sakin da aka shirya don Maris 1).
Matsalar tana faruwa ne ta hanyar buffer ambaliya a cikin aikin ctypes PyCArg_repr(), wanda ke faruwa saboda rashin lafiyar amfani da sprintf. Musamman, don aiwatar da sakamakon canji' sprintf (buffer, " ", kai->tag, kai->darajar.b)'an ware madaidaicin buffer na 256 bytes ("char buffer[256]"), yayin da sakamakon zai iya wuce wannan darajar. Don bincika raunin aikace-aikacen zuwa raunin, zaku iya gwada ƙaddamar da ƙimar "1e300", wanda, lokacin da aka sarrafa ta hanyar c_double.from_param, zai haifar da haɗari, tun da lambar da aka samu ya ƙunshi haruffa 308 kuma bai dace da shi ba. 256-byte buffer. Misalin lambar matsala: shigo da ctypes; x = ctypes.c_double.from_param (1e300); repr(x)
Matsalar ta kasance a cikin Debian, Ubuntu da FreeBSD, amma an riga an gyara shi a Arch Linux, Fedora, SUSE. A cikin RHEL, rashin lahani ba ya faruwa saboda haɗuwar fakiti a yanayin FORTIFY_SOURCE, wanda ke toshe irin wannan buffer ɗin a cikin ayyukan kirtani.
source: budenet.ru