CVE-2012-2135: UTF-16 decoder

Vulnerability in the UTF-16 decoder after error handling.

  • Disclosure date: 2012-04-14

Fixed In

Python issue

CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling.

  • Python issue: issue #14579
  • Creation date: 2012-04-14
  • Reporter: Serhiy Storchaka

CVE-2012-2135

The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.

Timeline

Timeline using the disclosure date 2012-04-14 as reference:

  • 2012-04-14: Disclosure date
  • 2012-04-14 (+0 days): Python issue #14579 reported by Serhiy Storchaka
  • 2012-07-20 (+97 days): commit 715a63b
  • 2012-07-20 (+97 days): commit b4bbee2
  • 2012-08-14 (+122 days): CVE-2012-2135 published
  • 2012-09-29: Python 3.3.0 released
  • 2013-04-06 (+357 days): Python 2.7.4 released
  • 2013-04-07 (+358 days): Python 3.2.4 released