Vulnerabilities > CVE-2018-1000030 - Use After Free vulnerability in multiple products
Summary
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0037.NASL description An update of {'mercurial', 'python2', 'zsh', 'pycrypto', 'patch', 'binutils', 'paramiko', 'httpd', 'mysql', 'xerces-c', 'util-linux', 'net-snmp', 'python3', 'sqlite'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111297 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111297 title Photon OS 2.0 : Zsh / Python3 / Xerces / Mercurial / Pmd / Pycrypto / Net / Python2 / Util / Mysql / Paramiko / Binutils / Patch / Sqlite (PhotonOS-PHSA-2018-2.0-0037) (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-2.0-0037. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111297); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:07"); script_cve_id( "CVE-2017-12627", "CVE-2017-18207", "CVE-2018-1303", "CVE-2018-2573", "CVE-2018-2583", "CVE-2018-2612", "CVE-2018-2622", "CVE-2018-2640", "CVE-2018-2665", "CVE-2018-2668", "CVE-2018-2703", "CVE-2018-6594", "CVE-2018-6951", "CVE-2018-7208", "CVE-2018-7549", "CVE-2018-7643", "CVE-2018-7738", "CVE-2018-7750", "CVE-2018-8740", "CVE-2018-1000030", "CVE-2018-1000116", "CVE-2018-1000117", "CVE-2018-1000132" ); script_bugtraq_id( 102678, 102681, 102682, 102704, 102706, 102708, 102709, 102710, 103044, 103077, 103219, 103264, 103367, 103466, 103522, 103713, 104527 ); script_name(english:"Photon OS 2.0 : Zsh / Python3 / Xerces / Mercurial / Pmd / Pycrypto / Net / Python2 / Util / Mysql / Paramiko / Binutils / Patch / Sqlite (PhotonOS-PHSA-2018-2.0-0037) (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of {'mercurial', 'python2', 'zsh', 'pycrypto', 'patch', 'binutils', 'paramiko', 'httpd', 'mysql', 'xerces-c', 'util-linux', 'net-snmp', 'python3', 'sqlite'} packages of Photon OS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-2-37 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5a24de30"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12627"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:python3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:xerces"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:mercurial"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:pmd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:pycrypto"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:net"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:python2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:util"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:paramiko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:binutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:patch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "binutils-2.30-4.ph2", "binutils-debuginfo-2.30-4.ph2", "binutils-devel-2.30-4.ph2", "mercurial-4.5.3-1.ph2", "mercurial-debuginfo-4.5.3-1.ph2", "mysql-5.7.21-1.ph2", "mysql-debuginfo-5.7.21-1.ph2", "mysql-devel-5.7.21-1.ph2", "net-snmp-5.7.3-8.ph2", "net-snmp-debuginfo-5.7.3-8.ph2", "net-snmp-devel-5.7.3-8.ph2", "paramiko-2.1.5-1.ph2", "patch-2.7.5-5.ph2", "patch-debuginfo-2.7.5-5.ph2", "pmd-python2-0.0.5-5.ph2", "pmd-python3-0.0.5-5.ph2", "pycrypto-2.6.1-4.ph2", "pycrypto-debuginfo-2.6.1-4.ph2", "python2-2.7.13-12.ph2", "python2-debuginfo-2.7.13-12.ph2", "python2-devel-2.7.13-12.ph2", "python2-libs-2.7.13-12.ph2", "python2-test-2.7.13-12.ph2", "python2-tools-2.7.13-12.ph2", "python3-3.6.5-1.ph2", "python3-curses-3.6.5-1.ph2", "python3-debuginfo-3.6.5-1.ph2", "python3-devel-3.6.5-1.ph2", "python3-libs-3.6.5-1.ph2", "python3-paramiko-2.1.5-1.ph2", "python3-paramiko-2.1.5-1.ph2", "python3-pip-3.6.5-1.ph2", "python3-pycrypto-2.6.1-4.ph2", "python3-pycrypto-2.6.1-4.ph2", "python3-setuptools-3.6.5-1.ph2", "python3-test-3.6.5-1.ph2", "python3-tools-3.6.5-1.ph2", "python3-xml-3.6.5-1.ph2", "sqlite-3.22.0-2.ph2", "sqlite-debuginfo-3.22.0-2.ph2", "sqlite-devel-3.22.0-2.ph2", "sqlite-libs-3.22.0-2.ph2", "util-linux-2.32-1.ph2", "util-linux-debuginfo-2.32-1.ph2", "util-linux-devel-2.32-1.ph2", "util-linux-lang-2.32-1.ph2", "util-linux-libs-2.32-1.ph2", "xerces-c-3.2.1-1.ph2", "xerces-c-debuginfo-3.2.1-1.ph2", "xerces-c-devel-3.2.1-1.ph2", "zsh-5.3.1-6.ph2", "zsh-debuginfo-5.3.1-6.ph2", "zsh-html-5.3.1-6.ph2" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh / python3 / xerces / mercurial / pmd / pycrypto / net / python2 / util / mysql / paramiko / binutils / patch / sqlite"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3817-1.NASL description It was discovered that Python incorrectly handled large amounts of data. A remote attacker could use this issue to cause Python to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1000030) It was discovered that Python incorrectly handled running external commands in the shutil module. A remote attacker could use this issue to cause Python to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-1000802) It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1060, CVE-2018-1061) It was discovered that Python failed to initialize Expat last seen 2020-06-01 modified 2020-06-02 plugin id 118954 published 2018-11-14 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118954 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : python2.7, python3.4, python3.5 vulnerabilities (USN-3817-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3817-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(118954); script_version("1.3"); script_cvs_date("Date: 2019/09/18 12:31:48"); script_cve_id("CVE-2018-1000030", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647"); script_xref(name:"USN", value:"3817-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : python2.7, python3.4, python3.5 vulnerabilities (USN-3817-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that Python incorrectly handled large amounts of data. A remote attacker could use this issue to cause Python to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1000030) It was discovered that Python incorrectly handled running external commands in the shutil module. A remote attacker could use this issue to cause Python to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-1000802) It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1060, CVE-2018-1061) It was discovered that Python failed to initialize Expat's hash salt. A remote attacker could possibly use this issue to cause hash collisions, leading to a denial of service. (CVE-2018-14647). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3817-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python2.7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python2.7-minimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3.4-minimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3.5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3.5-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/08"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"python2.7", pkgver:"2.7.6-8ubuntu0.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"python2.7-minimal", pkgver:"2.7.6-8ubuntu0.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"python3.4", pkgver:"3.4.3-1ubuntu1~14.04.7")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"python3.4-minimal", pkgver:"3.4.3-1ubuntu1~14.04.7")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"python2.7", pkgver:"2.7.12-1ubuntu0~16.04.4")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"python2.7-minimal", pkgver:"2.7.12-1ubuntu0~16.04.4")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"python3.5", pkgver:"3.5.2-2ubuntu0~16.04.5")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"python3.5-minimal", pkgver:"3.5.2-2ubuntu0~16.04.5")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"python2.7", pkgver:"2.7.15~rc1-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"python2.7-minimal", pkgver:"2.7.15~rc1-1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python2.7 / python2.7-minimal / python3.4 / python3.4-minimal / etc"); }
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0125.NASL description An update of 'python2' packages of Photon OS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111929 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111929 title Photon OS 1.0: Python2 PHSA-2018-1.0-0125 (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-1.0-0125. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111929); script_version("1.2"); script_cvs_date("Date: 2019/02/07 18:59:50"); script_cve_id("CVE-2018-1000030"); script_name(english:"Photon OS 1.0: Python2 PHSA-2018-1.0-0125 (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of 'python2' packages of Photon OS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-1.0-125 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?10b159b6"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1000030"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:python2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "python2-2.7.13-5.ph1", "python2-debuginfo-2.7.13-5.ph1", "python2-devel-2.7.13-5.ph1", "python2-libs-2.7.13-5.ph1", "python2-tools-2.7.13-5.ph1" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python2"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1078.NASL description According to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-i1/4zMalloc-i1/4zThread1-i1/4zFree last seen 2020-05-06 modified 2018-05-02 plugin id 109476 published 2018-05-02 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109476 title EulerOS 2.0 SP1 : python (EulerOS-SA-2018-1078) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109476); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2018-1000030" ); script_name(english:"EulerOS 2.0 SP1 : python (EulerOS-SA-2018-1078)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-i1/4zMalloc-i1/4zThread1-i1/4zFree's-i1/4zThread2-Re-us es-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.(CVE-2018-1000030) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1078 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?484eb2f8"); script_set_attribute(attribute:"solution", value: "Update the affected python package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["python-2.7.5-58.h7", "python-devel-2.7.5-58.h7", "python-libs-2.7.5-58.h7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-511.NASL description This update for python fixes the following issues : Security issues fixed : - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). This update was imported from the SUSE:SLE-12-SP1:Update update project. last seen 2020-06-05 modified 2018-05-24 plugin id 110069 published 2018-05-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110069 title openSUSE Security Update : python (openSUSE-2018-511) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-511. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(110069); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-1000158", "CVE-2018-1000030"); script_name(english:"openSUSE Security Update : python (openSUSE-2018-511)"); script_summary(english:"Check for the openSUSE-2018-511 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for python fixes the following issues : Security issues fixed : - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). This update was imported from the SUSE:SLE-12-SP1:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1068664" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1079300" ); script_set_attribute( attribute:"solution", value:"Update the affected python packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython2_7-1_0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython2_7-1_0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython2_7-1_0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython2_7-1_0-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-base-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-base-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-base-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-curses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-curses-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-demo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-doc-pdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-gdbm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-gdbm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-idle"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-tk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-tk-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-xml-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"libpython2_7-1_0-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpython2_7-1_0-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-base-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-base-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-base-debugsource-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-curses-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-curses-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-debugsource-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-demo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-devel-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-doc-pdf-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-gdbm-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-gdbm-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-idle-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-tk-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-tk-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-xml-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-xml-debuginfo-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpython2_7-1_0-32bit-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpython2_7-1_0-debuginfo-32bit-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"python-32bit-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"python-base-32bit-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"python-base-debuginfo-32bit-2.7.13-27.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"python-debuginfo-32bit-2.7.13-27.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpython2_7-1_0 / libpython2_7-1_0-32bit / etc"); }
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201811-02.NASL description The remote host is affected by the vulnerability described in GLSA-201811-02 (Python: Buffer overflow) A buffer overflow vulnerability have been discovered in Python. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, in special situations such as function as a service, could violate a trust boundary and cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-03-18 modified 2018-11-09 plugin id 118846 published 2018-11-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118846 title GLSA-201811-02 : Python: Buffer overflow code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201811-02. # # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(118846); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/06"); script_cve_id("CVE-2018-1000030"); script_xref(name:"GLSA", value:"201811-02"); script_name(english:"GLSA-201811-02 : Python: Buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201811-02 (Python: Buffer overflow) A buffer overflow vulnerability have been discovered in Python. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, in special situations such as function as a service, could violate a trust boundary and cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201811-02" ); script_set_attribute( attribute:"solution", value: "All Python users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-lang/python-2.7.15:2.7'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:python"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/08"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/python", unaffected:make_list("ge 2.7.15"), vulnerable:make_list("lt 2.7.15"))) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get()); else security_note(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Python"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1372-1.NASL description This update for python fixes the following issues: Security issues fixed : - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 110037 published 2018-05-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110037 title SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2018:1372-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:1372-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(110037); script_version("1.5"); script_cvs_date("Date: 2019/09/10 13:51:47"); script_cve_id("CVE-2017-1000158", "CVE-2018-1000030"); script_name(english:"SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2018:1372-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for python fixes the following issues: Security issues fixed : - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068664" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1079300" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-1000158/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000030/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20181372-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4d8fa025" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch SUSE-SLE-WE-12-SP3-2018-964=1 SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-964=1 SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-964=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-964=1 SUSE Enterprise Storage 5:zypper in -t patch SUSE-Storage-5-2018-964=1 SUSE CaaS Platform ALL : To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. OpenStack Cloud Magnum Orchestration 7:zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-964=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython2_7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython2_7-1_0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-base-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-curses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-curses-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-demo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-gdbm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-idle"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-tk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-tk-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python-xml-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"3", reference:"libpython2_7-1_0-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"libpython2_7-1_0-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-base-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-base-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-base-debugsource-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-curses-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-curses-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-debugsource-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-demo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-gdbm-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-gdbm-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-idle-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-tk-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-tk-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-xml-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-xml-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"libpython2_7-1_0-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-base-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-base-debuginfo-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"python-debuginfo-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libpython2_7-1_0-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libpython2_7-1_0-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libpython2_7-1_0-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-base-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-base-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-base-debuginfo-32bit-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-base-debugsource-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-curses-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-curses-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-debugsource-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-devel-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-tk-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-tk-debuginfo-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-xml-2.7.13-28.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"python-xml-debuginfo-2.7.13-28.3.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0234-1.NASL description This update for python fixes the following issues : Updated to version 2.7.17 to unify packages among openSUSE:Factory and SLE versions (bsc#1159035). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133259 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133259 title SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2019.NASL description According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) - urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen( last seen 2020-05-08 modified 2019-09-24 plugin id 129212 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129212 title EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0125_PYTHON2.NASL description An update of the python2 package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121820 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121820 title Photon OS 1.0: Python2 PHSA-2018-1.0-0125
References
- https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0
- https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view
- https://bugs.python.org/issue31530
- https://security.gentoo.org/glsa/201811-02
- https://usn.ubuntu.com/3817-1/
- https://usn.ubuntu.com/3817-2/
- https://www.oracle.com/security-alerts/cpujan2020.html