[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Serhiy Storchaka storch...@gmail.com added the comment: There are spurious print() calls in the 2.7 patch. Oh, my inattentiveness. Thank you for pushing, Antoine. And thank Martin for review. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Antoine Pitrou pit...@free.fr added the comment: There are spurious print() calls in the 2.7 patch. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Changes by Antoine Pitrou pit...@free.fr: -- stage: test needed - commit review ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset 034ff986019d by Antoine Pitrou in branch '3.2': Issue #14579: Fix CVE-2012-2135: vulnerability in the utf-16 decoder after error handling. http://hg.python.org/cpython/rev/034ff986019d New changeset 118fe0ee6921 by Antoine Pitrou in branch 'default': Port additional tests from #14579 (the issue is already fixed). http://hg.python.org/cpython/rev/118fe0ee6921 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset 4cadf91aaddd by Antoine Pitrou in branch '2.7': Issue #14579: Fix error handling bug in the utf-16 decoder. http://hg.python.org/cpython/rev/4cadf91aaddd -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Antoine Pitrou pit...@free.fr added the comment: Thanks for the patches, Serhiy! They're now pushed. -- resolution: - fixed stage: commit review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Serhiy Storchaka storch...@gmail.com added the comment: Please, can anyone do a final review and commit? Here are three patches for three Python versions: 2.7: utf16_error_handling-2.7.patch. Fix for one minor bug (overreading) and tests. 3.2: utf16_error_handling-3.2_4.patch. Fix for one critical security bug (CVE-2012-2135) and several minor bugs, tests. 3.3: utf16_error_handling-3.3.patch. Only tests. -- Added file: http://bugs.python.org/file26424/utf16_error_handling_tests-3.3.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +Interpreter Core, Unicode versions: +Python 2.7 -Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Changes by Georg Brandl ge...@python.org: -- nosy: +georg.brandl ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
STINNER Victor victor.stin...@gmail.com added the comment: I ran tests of utf16_error_handling-3.2_4.patch on Python 3.1. Two tests are failing: - b'\x00\xd8'.decode('utf-16le', 'replace')='\ufffd\ufffd' != '\ufffd' - b'\xd8\x00'.decode('utf-16be', 'replace')='\ufffd\ufffd' != '\ufffd' I don't think that the test is correct: UTF-16 should resynchronize as early as possible (ignore the first invalid byte and restart at the following byte), so '\ufffd\ufffd' is the correct answer. Another examples: - b'\xd8\x00\x41'.decode('utf-16be', 'replace') should return '�A' (\ufffdA') - with UTF-8 decoder: (b'\xC3' + '\xe9'.encode('utf-8')).decode('utf-8', 'replace') returns '\ufffd\xe9' -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Antoine Pitrou pit...@free.fr added the comment: I ran tests of utf16_error_handling-3.2_4.patch on Python 3.1. Two tests are failing: - b'\x00\xd8'.decode('utf-16le', 'replace')='\ufffd\ufffd' != '\ufffd' - b'\xd8\x00'.decode('utf-16be', 'replace')='\ufffd\ufffd' != '\ufffd' I don't think that the test is correct: UTF-16 should resynchronize as early as possible (ignore the first invalid byte and restart at the following byte), so '\ufffd\ufffd' is the correct answer. UTF-16 units are 16-bit words, not bytes, so '\ud' sounds correct to me. You resynchronize on the word boundary: the invalid word is skipped. - with UTF-8 decoder: (b'\xC3' + '\xe9'.encode('utf-8')).decode('utf-8', 'replace') returns '\ufffd \xe9' That's because UTF-8 operates on bytes: the invalid byte is skipped. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Martin v. Löwis mar...@v.loewis.de added the comment: UTF-16 units are 16-bit words, not bytes, so '\ud' sounds correct to me. You resynchronize on the word boundary: the invalid word is skipped. I agree. The only odd case is when the number of bytes is not even (pun intended). In that case, anybody can guess which of the bytes is extra. The most natural (IMO) assumption is that the data is truncated, so it would be the last byte which is extra. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14579] CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling
Changes by Martin v. Löwis mar...@v.loewis.de: -- title: Vulnerability in the utf-16 decoder after error handling - CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14579 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com