.. _pystring_decodeescape-integer-overflow:

PyString_DecodeEscape integer overflow
======================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2017-1000158>`_.

Check & prevent integer overflow in PyString_DecodeEscape.

You need to compile a 1 GiB Python file on 32-bit system for reproducing
it. It is very unlikely that this can happen by accident, and it is hard to
used it in security attack. If you can make the attacked program compiling
a 1 GiB Python file, you perhaps have easier ways to make a harm.

Dates:

* Disclosure date: **2017-06-13** (Python issue bpo-30657 reported)

Fixed In
--------

* Python **2.7.14** (2017-09-16) fixed by `commit c3c9db8 (branch 2.7) <https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae>`_ (2017-06-18)
* Python **3.4.8** (2018-02-04) fixed by `commit 6c004b4 (branch 3.4) <https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42>`_ (2017-12-08)
* Python **3.5.5** (2018-02-04) fixed by `commit fd8614c (branch 3.5) <https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9>`_ (2017-12-08)

Python issue
------------

[security] CVE-2017-1000158: Unsafe arithmetic in PyString_DecodeEscape.

* Python issue: `bpo-30657 <https://bugs.python.org/issue30657>`_
* Creation date: 2017-06-13
* Reporter: Jay Bosamiya

CVE-2017-1000158
----------------

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)

* CVE ID: `CVE-2017-1000158 <https://nvd.nist.gov/vuln/detail/CVE-2017-1000158/>`_
* Published: 2017-11-17
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.5

Timeline
--------

Timeline using the disclosure date **2017-06-13** as reference:

* 2017-06-13: `Python issue bpo-30657 <https://bugs.python.org/issue30657>`_ reported by Jay Bosamiya
* 2017-06-18 (**+5 days**): `commit c3c9db8 (branch 2.7) <https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae>`_
* 2017-09-16 (**+95 days**): Python 2.7.14 released
* 2017-11-17 (**+157 days**): CVE-2017-1000158 published
* 2017-12-08 (**+178 days**): `commit 6c004b4 (branch 3.4) <https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42>`_
* 2017-12-08 (**+178 days**): `commit fd8614c (branch 3.5) <https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9>`_
* 2018-02-04 (**+236 days**): Python 3.4.8 released
* 2018-02-04 (**+236 days**): Python 3.5.5 released