audioop input validation¶
The audioop
module in Python 2.7 and 3.2 does not verify the relationships
between size arguments and byte string lengths, which allows
context-dependent attackers to cause a denial of service (memory corruption
and application crash) via crafted arguments, as demonstrated by a call to
audioop.reverse()
with a one-byte string, a different vulnerability
than CVE-2010-1634.
Dates:
- Disclosure date: 2010-01-11 (Python issue bpo-7673 reported)
Fixed In¶
- Python 2.6.6 (2010-08-24) fixed by commit e9123ef (branch 2.6) (2010-07-03)
- Python 2.7.2 (2011-06-11) fixed by commit e9123ef (branch 2.6) (2010-07-03)
- Python 3.1.3 (2010-11-27) fixed by commit 8e42fb7 (branch 3.1) (2010-07-03)
- Python 3.2.0 (2011-02-20) fixed by commit bc5c54b (branch 3.2) (2010-07-03)
Python issue¶
audioop: check that length is a multiple of the size.
- Python issue: bpo-7673
- Creation date: 2010-01-11
- Reporter: STINNER Victor
CVE-2010-2089¶
The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.
- CVE ID: CVE-2010-2089
- Published: 2010-05-27
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2010-01-11 as reference:
- 2010-01-11: Python issue bpo-7673 reported by STINNER Victor
- 2010-05-27 (+136 days): CVE-2010-2089 published
- 2010-07-03 (+173 days): commit 8e42fb7 (branch 3.1)
- 2010-07-03 (+173 days): commit bc5c54b (branch 3.2)
- 2010-07-03 (+173 days): commit e9123ef (branch 2.6)
- 2010-08-24 (+225 days): Python 2.6.6 released
- 2010-11-27 (+320 days): Python 3.1.3 released
- 2011-02-20: Python 3.2.0 released
- 2011-06-11 (+516 days): Python 2.7.2 released