expandtab() integer overflow

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by:

• the string_expandtabs() function in Objects/stringobject.c
• the unicode_expandtabs() function in Objects/unicodeobject.c

NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.

• Disclosure date: 2008-03-11 (commit date)
• Reported by: Chris Evans

Fixed In

• Python 2.5.3 (2008-12-19) fixed by commit 44a93e5 (branch 2.5) (2008-03-11)
• Python 2.6.0 (2008-10-01) fixed by commit 5bdff60 (branch 2.6) (2008-03-11)
• Python 3.0.0 (2008-12-03) fixed by commit dd15f6c (branch 3.0) (2008-03-16)

CVE-2008-5031

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.

• CVE ID: CVE-2008-5031
• Published: 2008-11-10
• CVSS Score: 10.0

Timeline

Timeline using the disclosure date 2008-03-11 as reference:

• 2008-03-11: Disclosure date (commit date)
• 2008-03-11 (+0 days): commit 44a93e5 (branch 2.5)
• 2008-03-11 (+0 days): commit 5bdff60 (branch 2.6)
• 2008-03-16 (+5 days): commit dd15f6c (branch 3.0)
• 2008-10-01: Python 2.6.0 released
• 2008-11-10 (+244 days): CVE-2008-5031 published
• 2008-12-03: Python 3.0.0 released
• 2008-12-19 (+283 days): Python 2.5.3 released

Links

• http://scary.beasts.org/security/CESA-2008-008.html
• https://www.cvedetails.com/cve/CVE-2008-2315/