Vulnerability in the utf-16 decoder after error handling¶
Vulnerability in the UTF-16 decoder after error handling.
- Disclosure date: 2012-04-14
Fixed In¶
- Python 2.7.4 (2013-04-06) fixed by commit 715a63b (branch 2.7) (2012-07-20)
- Python 3.2.4 (2013-04-07) fixed by commit 715a63b (branch 2.7) (2012-07-20)
- Python 3.3.0 (2012-09-29) fixed by commit b4bbee2 (branch 3.3) (2012-07-20)
Python issue¶
CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling.
- Python issue: bpo-14579
- Creation date: 2012-04-14
- Reporter: Serhiy Storchaka
CVE-2012-2135¶
The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.
- CVE ID: CVE-2012-2135
- Published: 2012-08-14
- CVSS Score: 6.4
Timeline¶
Timeline using the disclosure date 2012-04-14 as reference:
- 2012-04-14: Disclosure date
- 2012-04-14 (+0 days): Python issue bpo-14579 reported by Serhiy Storchaka
- 2012-07-20 (+97 days): commit 715a63b (branch 2.7)
- 2012-07-20 (+97 days): commit b4bbee2 (branch 3.3)
- 2012-08-14 (+122 days): CVE-2012-2135 published
- 2012-09-29: Python 3.3.0 released
- 2013-04-06 (+357 days): Python 2.7.4 released
- 2013-04-07 (+358 days): Python 3.2.4 released