audioop input validation

The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse() with a one-byte string, a different vulnerability than CVE-2010-1634.

Dates:

• Disclosure date: 2010-01-11 (Python issue bpo-7673 reported)

Fixed In

• Python 2.6.6 (2010-08-24) fixed by commit e9123ef (branch 2.6) (2010-07-03)
• Python 2.7.2 (2011-06-11) fixed by commit e9123ef (branch 2.6) (2010-07-03)
• Python 3.1.3 (2010-11-27) fixed by commit 8e42fb7 (branch 3.1) (2010-07-03)
• Python 3.2.0 (2011-02-20) fixed by commit bc5c54b (branch 3.2) (2010-07-03)

Python issue

audioop: check that length is a multiple of the size.

• Python issue: bpo-7673
• Creation date: 2010-01-11
• Reporter: STINNER Victor

CVE-2010-2089

The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.

• CVE ID: CVE-2010-2089
• Published: 2010-05-27
• CVSS Score: 5.0

Timeline

Timeline using the disclosure date 2010-01-11 as reference:

• 2010-01-11: Python issue bpo-7673 reported by STINNER Victor
• 2010-05-27 (+136 days): CVE-2010-2089 published
• 2010-07-03 (+173 days): commit 8e42fb7 (branch 3.1)
• 2010-07-03 (+173 days): commit bc5c54b (branch 3.2)
• 2010-07-03 (+173 days): commit e9123ef (branch 2.6)
• 2010-08-24 (+225 days): Python 2.6.6 released
• 2010-11-27 (+320 days): Python 3.1.3 released
• 2011-02-20: Python 3.2.0 released
• 2011-06-11 (+516 days): Python 2.7.2 released

Links

• https://nvd.nist.gov/vuln/detail/CVE-2010-1634/