ctypes: Buffer overflow in PyCArg_repr¶
There’s a buffer overflow in the ctypes PyCArg_repr()
function.
Dates:
- Disclosure date: 2021-01-16 (Python issue bpo-42938 reported)
Fixed In¶
- Python 3.6.13 (2021-02-16) fixed by commit 34df10a (branch 3.6) (2021-01-18)
- Python 3.7.10 (2021-02-16) fixed by commit d9b8f13 (branch 3.7) (2021-01-18)
- Python 3.8.8 (2021-02-19) fixed by commit ece5dfd (branch 3.8) (2021-01-18)
- Python 3.9.2 (2021-02-19) fixed by commit c347cbe (branch 3.9) (2021-01-18)
- Python 3.10.0 (2021-10-04) fixed by commit 916610e (branch 3.10) (2021-01-18)
Python issue¶
[security][CVE-2021-3177] ctypes double representation BoF.
- Python issue: bpo-42938
- Creation date: 2021-01-16
- Reporter: Jordy Zomer
CVE-2021-3177¶
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
- CVE ID: CVE-2021-3177
- Published: 2021-01-19
- CVSS Score: 7.5
Timeline¶
Timeline using the disclosure date 2021-01-16 as reference:
- 2021-01-16: Python issue bpo-42938 reported by Jordy Zomer
- 2021-01-18 (+2 days): commit 34df10a (branch 3.6)
- 2021-01-18 (+2 days): commit 916610e (branch 3.10)
- 2021-01-18 (+2 days): commit c347cbe (branch 3.9)
- 2021-01-18 (+2 days): commit d9b8f13 (branch 3.7)
- 2021-01-18 (+2 days): commit ece5dfd (branch 3.8)
- 2021-01-19 (+3 days): CVE-2021-3177 published
- 2021-02-16 (+31 days): Python 3.6.13 released
- 2021-02-16 (+31 days): Python 3.7.10 released
- 2021-02-19 (+34 days): Python 3.8.8 released
- 2021-02-19 (+34 days): Python 3.9.2 released
- 2021-10-04: Python 3.10.0 released