CVE-2017-1000158 in Ubuntu

CVE-2017-1000158 (retired)

Priority

Description

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in
the PyString_DecodeEscape function in stringobject.c, resulting in
heap-based buffer overflow (and possible arbitrary code execution)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158
https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
https://usn.ubuntu.com/usn/usn-3496-1
https://usn.ubuntu.com/usn/usn-3496-2
https://usn.ubuntu.com/usn/usn-3496-3

Bugs

https://bugs.python.org/issue30657

Notes

tyhicks> PyBytes_DecodeEscape() may be affected in Python 3.x versions. Please
check.
mdeslaur> per upstream bug, 3.6 and 3.7 aren't affected

Assigned-to

leosilva

Package

Source: python2.7 (LP Ubuntu Debian)

Upstream:	released (2.7.13-4)
Ubuntu 12.04 ESM (Precise Pangolin):	released (2.7.3-0ubuntu3.10)
Ubuntu 16.04 LTS (Xenial Xerus):	released (2.7.12-1ubuntu0~16.04.2)
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected

Package

Source: python3.4 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: python3.5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (3.5.2-2ubuntu0~16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: python3.6 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (code not present)

Package

Source: python3.7 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (code not present)

More Information

Updated: 2019-09-19 16:00:57 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)