.. _expandtab-integer-overflow:

expandtab() integer overflow
============================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2008-5031>`_.

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow
context-dependent attackers to have an unknown impact via a large integer
value in the tabsize argument to the expandtabs method, as implemented by:

* the ``string_expandtabs()`` function in ``Objects/stringobject.c``
* the ``unicode_expandtabs()`` function in ``Objects/unicodeobject.c``

NOTE: this vulnerability reportedly exists because of an incomplete
fix for CVE-2008-2315.

Dates:

* Disclosure date: **2008-03-11** (commit date)
* Reported by: Chris Evans

Fixed In
--------

* Python **2.5.3** (2008-12-19) fixed by `commit 44a93e5 (branch 2.5) <https://github.com/python/cpython/commit/44a93e54f4b0f90634d16d53c437fabb6946ea9d>`_ (2008-03-11)
* Python **2.6.0** (2008-10-01) fixed by `commit 5bdff60 (branch 2.6) <https://github.com/python/cpython/commit/5bdff60617e6fc1d2e387a0b165cb23b82d7dae6>`_ (2008-03-11)
* Python **3.0.0** (2008-12-03) fixed by `commit dd15f6c (branch 3.0) <https://github.com/python/cpython/commit/dd15f6c315f20c1a9a540dd757cd63e27dbe9f3c>`_ (2008-03-16)

CVE-2008-5031
-------------

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c.  NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.

* CVE ID: `CVE-2008-5031 <https://nvd.nist.gov/vuln/detail/CVE-2008-5031/>`_
* Published: 2008-11-10
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 10.0

Timeline
--------

Timeline using the disclosure date **2008-03-11** as reference:

* 2008-03-11: Disclosure date (commit date)
* 2008-03-11: `commit 44a93e5 (branch 2.5) <https://github.com/python/cpython/commit/44a93e54f4b0f90634d16d53c437fabb6946ea9d>`_
* 2008-03-11: `commit 5bdff60 (branch 2.6) <https://github.com/python/cpython/commit/5bdff60617e6fc1d2e387a0b165cb23b82d7dae6>`_
* 2008-03-16 (**+5 days**): `commit dd15f6c (branch 3.0) <https://github.com/python/cpython/commit/dd15f6c315f20c1a9a540dd757cd63e27dbe9f3c>`_
* 2008-10-01: Python 2.6.0 released
* 2008-11-10 (**+244 days**): CVE-2008-5031 published
* 2008-12-03: Python 3.0.0 released
* 2008-12-19 (**+283 days**): Python 2.5.3 released

Links
-----

* http://scary.beasts.org/security/CESA-2008-008.html
* https://nvd.nist.gov/vuln/detail/CVE-2008-2315/