Cov kev tso tawm kho ntawm Python 3.7.10 thiab 3.6.13 tam sim no muaj, daws qhov teeb meem tsis zoo (CVE-2021-3177) uas yuav ua rau muaj kev ua tiav ntawm cov lej thaum tswj cov lej floating-point uas tsis tau kuaj xyuas hauv cov neeg ua haujlwm hu rau C functions siv lub tshuab ctypes. Qhov teeb meem kuj tseem cuam tshuam rau Python 3.8 thiab 3.9, tab sis cov kev hloov tshiab rau lawv tam sim no nyob rau hauv qhov xwm txheej tso tawm (kev tso tawm tau teem sijhawm rau lub Peb Hlis 1).
Qhov teeb meem no yog tshwm sim los ntawm qhov buffer overflow hauv PyCArg_repr() ctypes function, uas tshwm sim vim yog kev siv sprintf tsis muaj kev nyab xeeb. Tshwj xeeb, kev ua cov txiaj ntsig ntawm 'sprintf(buffer, " ', self->tag, self->value.b)' tau muab ib qho buffer static ntawm 256 bytes ("char buffer[256]"), thaum qhov tshwm sim tuaj yeem tshaj qhov nqi no. Txhawm rau sim qhov tsis muaj zog ntawm cov ntawv thov, koj tuaj yeem sim dhau tus nqi "1e300", uas, thaum ua tiav los ntawm c_double.from_param txoj kev, yuav ua rau muaj kev sib tsoo, vim tias tus lej tshwm sim muaj 308 tus lej thiab tsis haum rau hauv 256-byte buffer. Ib qho piv txwv ntawm cov lej teeb meem: import ctypes; x = ctypes.c_double.from_param(1e300); repr(x)
Qhov teeb meem tseem tsis tau kho nyob rau hauv Debian, Ubuntu thiab FreeBSD, tab sis twb tau kho lawm hauv Arch Linux, Fedora, SUSE. Hauv RHEL, qhov tsis muaj zog no tsis tshwm sim vim yog cov pob khoom raug tsim hauv hom FORTIFY_SOURCE, uas thaiv cov buffer overflows hauv cov haujlwm string.
Tau qhov twg los: opennet.ru
