.. _ctypes-buffer-overflow-pycarg_repr:

ctypes: Buffer overflow in PyCArg_repr
======================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2021-3177>`_.

There's a buffer overflow in the ctypes ``PyCArg_repr()`` function.

Dates:

* Disclosure date: **2021-01-16** (Python issue bpo-42938 reported)

Fixed In
--------

* Python **3.6.13** (2021-02-16) fixed by `commit 34df10a (branch 3.6) <https://github.com/python/cpython/commit/34df10a9a16b38d54421eeeaf73ec89828563be7>`_ (2021-01-18)
* Python **3.7.10** (2021-02-16) fixed by `commit d9b8f13 (branch 3.7) <https://github.com/python/cpython/commit/d9b8f138b7df3b455b54653ca59f491b4840d6fa>`_ (2021-01-18)
* Python **3.8.8** (2021-02-19) fixed by `commit ece5dfd (branch 3.8) <https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f>`_ (2021-01-18)
* Python **3.9.2** (2021-02-19) fixed by `commit c347cbe (branch 3.9) <https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932>`_ (2021-01-18)
* Python **3.10.0** (2021-10-04) fixed by `commit 916610e (branch 3.10) <https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7>`_ (2021-01-18)

Python issue
------------

[security][CVE-2021-3177] ctypes double representation BoF.

* Python issue: `bpo-42938 <https://bugs.python.org/issue42938>`_
* Creation date: 2021-01-16
* Reporter: Jordy Zomer

CVE-2021-3177
-------------

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

* CVE ID: `CVE-2021-3177 <https://nvd.nist.gov/vuln/detail/CVE-2021-3177/>`_
* Published: 2021-01-19
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.5

Timeline
--------

Timeline using the disclosure date **2021-01-16** as reference:

* 2021-01-16: `Python issue bpo-42938 <https://bugs.python.org/issue42938>`_ reported by Jordy Zomer
* 2021-01-18 (**+2 days**): `commit 34df10a (branch 3.6) <https://github.com/python/cpython/commit/34df10a9a16b38d54421eeeaf73ec89828563be7>`_
* 2021-01-18 (**+2 days**): `commit 916610e (branch 3.10) <https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7>`_
* 2021-01-18 (**+2 days**): `commit c347cbe (branch 3.9) <https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932>`_
* 2021-01-18 (**+2 days**): `commit d9b8f13 (branch 3.7) <https://github.com/python/cpython/commit/d9b8f138b7df3b455b54653ca59f491b4840d6fa>`_
* 2021-01-18 (**+2 days**): `commit ece5dfd (branch 3.8) <https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f>`_
* 2021-01-19 (**+3 days**): CVE-2021-3177 published
* 2021-02-16 (**+31 days**): Python 3.6.13 released
* 2021-02-16 (**+31 days**): Python 3.7.10 released
* 2021-02-19 (**+34 days**): Python 3.8.8 released
* 2021-02-19 (**+34 days**): Python 3.9.2 released
* 2021-10-04: Python 3.10.0 released

Links
-----

* https://access.redhat.com/security/cve/cve-2021-3177