CVE-2010-2089: audioop input validation

The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse() with a one-byte string, a different vulnerability than CVE-2010-1634.

  • Disclosure date: 2010-01-11 (Python issue #7673 reported)

Fixed In

Python issue

audioop: check that length is a multiple of the size.

  • Python issue: issue #7673
  • Creation date: 2010-01-11
  • Reporter: STINNER Victor

CVE-2010-2089

The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.

Timeline

Timeline using the disclosure date 2010-01-11 as reference:

  • 2010-01-11: Python issue #7673 reported by STINNER Victor
  • 2010-05-27 (+136 days): CVE-2010-2089 published
  • 2010-07-03 (+173 days): commit 8e42fb7
  • 2010-07-03 (+173 days): commit bc5c54b
  • 2010-07-03 (+173 days): commit e9123ef
  • 2010-08-24 (+225 days): Python 2.6.6 released
  • 2010-11-27 (+320 days): Python 3.1.3 released
  • 2011-02-20: Python 3.2.0 released
  • 2011-06-11 (+516 days): Python 2.7.2 released