[Forgot Password]
Login  Register Subscribe

24128

 
 

131573

 
 

110139

 
 

909

 
 

85964

 
 

136

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2014-380 ---- python27

ID: oval:org.secpod.oval:def:1600056Date: (C)2016-01-19   (M)2018-05-06
Class: PATCHFamily: unix




It was reported that Python built-in _json module have a flaw , which allows a local user to read current process" arbitrary memory.Quoting the upstream bug report:The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index.The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor"s register value wraps around and the calculated value will point to a position in memory which isn"t within the bounds of the supplied string, causing the function to access other parts of the process memory.

Platform:
Amazon Linux AMI
Product:
python27
Reference:
ALAS-2014-380
CVE-2014-4616
CVE    1
CVE-2014-4616
CPE    2
cpe:/a:python:python27
cpe:/o:amazon:linux

© SecPod Technologies