Vulnerabilities > CVE-2018-20406 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
python
debian
fedoraproject
CWE-190
nessus

Summary

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-6B02154AA0.NASL
    descriptionLast upstream Python 3.4 security release, 3.4.10. Security fix for CVE-2019-9636, CVE-2019-5010, CVE-2018-20406. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123475
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123475
    titleFedora 29 : python34 (2019-6b02154aa0)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1230.NASL
    descriptionA NULL pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities. (CVE-2019-5010) Python 2.7.16 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. (CVE-2019-9636) A flaw was found in the way catastrophic backtracking was implemented in python
    last seen2020-06-01
    modified2020-06-02
    plugin id126383
    published2019-07-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126383
    titleAmazon Linux 2 : python (ALAS-2019-1230)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-7D9F3CF3CE.NASL
    descriptionLast upstream Python 3.4 security release, 3.4.10. Security fix for CVE-2019-9636, CVE-2019-5010, CVE-2018-20406. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124511
    published2019-05-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124511
    titleFedora 30 : python34 (2019-7d9f3cf3ce)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4127-1.NASL
    descriptionIt was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-20406) It was discovered that Python incorrectly validated the domain when handling cookies. An attacker could possibly trick Python into sending cookies to the wrong domain. (CVE-2018-20852) Jonathan Birch and Panayiotis Panayiotou discovered that Python incorrectly handled Unicode encoding during NFKC normalization. An attacker could possibly use this issue to obtain sensitive information. (CVE-2019-9636, CVE-2019-10160) Colin Read and Nicolas Edet discovered that Python incorrectly handled parsing certain X509 certificates. An attacker could possibly use this issue to cause Python to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-5010) It was discovered that Python incorrectly handled certain urls. A remote attacker could possibly use this issue to perform CRLF injection attacks. (CVE-2019-9740, CVE-2019-9947) Sihoon Lee discovered that Python incorrectly handled the local_file: scheme. A remote attacker could possibly use this issue to bypass blacklist meschanisms. (CVE-2019-9948). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128631
    published2019-09-10
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128631
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-6BAEB15DA3.NASL
    descriptionLast upstream Python 3.4 security release, 3.4.10. Security fix for CVE-2019-9636, CVE-2019-5010, CVE-2018-20406. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123476
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123476
    titleFedora 28 : python34 (2019-6baeb15da3)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1204.NASL
    descriptionPython 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.(CVE-2019-9636) Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a
    last seen2020-06-01
    modified2020-06-02
    plugin id124594
    published2019-05-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124594
    titleAmazon Linux 2 : python3 (ALAS-2019-1204)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0132_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id122909
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122909
    titlePhoton OS 2.0: Python3 PHSA-2019-2.0-0132
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0212_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id122924
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122924
    titlePhoton OS 1.0: Python3 PHSA-2019-1.0-0212
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-6E1938A3C5.NASL
    descriptionSecurity update to Python 3.5.7. Security fix for CVE-2019-5010, CVE-2018-20406, CVE-2018-1060, CVE-2018-1061, CVE-2019-9636. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123140
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123140
    titleFedora 29 : python35 (2019-6e1938a3c5)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1663.NASL
    descriptionThis DLA fixes a a problem parsing x509 certificates, an pickle integer overflow, and some other minor issues : CVE-2016-0772 The smtplib library in CPython does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id122036
    published2019-02-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122036
    titleDebian DLA-1663-1 : python3.4 security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1202.NASL
    descriptionPython is affected by improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. (CVE-2019-9636) Modules/_pickle.c in Python has an integer overflow via a large LONG_BINPUT value that is mishandled during a
    last seen2020-06-01
    modified2020-06-02
    plugin id124655
    published2019-05-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124655
    titleAmazon Linux AMI : python34 (ALAS-2019-1202)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0215-1.NASL
    descriptionThis update for python3 fixes the following issues : Security issue fixed : CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-02-01
    plugin id121540
    published2019-02-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121540
    titleSUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:0215-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0114-1.NASL
    descriptionThis update for python3 to version 3.6.10 fixes the following issues : CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133036
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133036
    titleSUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-155.NASL
    descriptionThis update for python3 fixes the following issues : Security issue fixed : - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id122091
    published2019-02-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122091
    titleopenSUSE Security Update : python3 (openSUSE-2019-155)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-51F1E08207.NASL
    descriptionSecurity update to Python 3.5.7. Security fix for CVE-2019-5010, CVE-2018-20406, CVE-2018-1060, CVE-2018-1061, CVE-2019-9636. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124492
    published2019-05-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124492
    titleFedora 30 : python35 (2019-51f1e08207)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-CF725DD20B.NASL
    descriptionSecurity update to Python 3.5.7. Security fix for CVE-2019-5010, CVE-2018-20406, CVE-2018-1060, CVE-2018-1061, CVE-2019-9636. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123480
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123480
    titleFedora 28 : python35 (2019-cf725dd20b)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-86.NASL
    descriptionThis update for python3 to version 3.6.10 fixes the following issues : - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id133172
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133172
    titleopenSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0243-1.NASL
    descriptionThis update for python3 fixes the following issues : Security issue fixed : CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-02-06
    plugin id121616
    published2019-02-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121616
    titleSUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:0243-1)

Redhat

advisories
rhsa
idRHSA-2019:3725
rpms
  • rh-python36-python-0:3.6.9-2.el6
  • rh-python36-python-0:3.6.9-2.el7
  • rh-python36-python-debug-0:3.6.9-2.el6
  • rh-python36-python-debug-0:3.6.9-2.el7
  • rh-python36-python-debuginfo-0:3.6.9-2.el6
  • rh-python36-python-debuginfo-0:3.6.9-2.el7
  • rh-python36-python-devel-0:3.6.9-2.el6
  • rh-python36-python-devel-0:3.6.9-2.el7
  • rh-python36-python-libs-0:3.6.9-2.el6
  • rh-python36-python-libs-0:3.6.9-2.el7
  • rh-python36-python-test-0:3.6.9-2.el6
  • rh-python36-python-test-0:3.6.9-2.el7
  • rh-python36-python-tkinter-0:3.6.9-2.el6
  • rh-python36-python-tkinter-0:3.6.9-2.el7
  • rh-python36-python-tools-0:3.6.9-2.el6
  • rh-python36-python-tools-0:3.6.9-2.el7

References