CVE-2007-2052
published 2007-04-16CVE-2007-2052: Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm…
PriorityP428medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
12.48%
95.7th percentile
Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| python | python | — | — |
| python | python | — | — |
| vmware | esxi | — | — |
| vmware | vmware_tools | — | — |
| vmware | vmware_vcenter_server | — | — |
| vmware | vmware_vsphere | — | — |
| vmware | vmware_workstation | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7hcx-rxp8-j55g: Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule
ghsa_unreviewed·2022-05-01
CVE-2007-2052 [MEDIUM] CWE-193 GHSA-7hcx-rxp8-j55g: Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule
Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.
VMware
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
vendor_vmware·2009-11-20·CVSS 5.0
CVE-2007-2052 [MEDIUM] VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
VMSA-2009-0016: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-
Ubuntu
Python vulnerabilities
vendor_ubuntu·2008-03-11·CVSS 5.0
CVE-2007-2052 [MEDIUM] Python vulnerabilities
Title: Python vulnerabilities
Summary: Python vulnerabilities
Piotr Engelking discovered that strxfrm in Python was not correctly
calculating the size of the destination buffer. This could lead to small
information leaks, which might be used by attackers to gain additional
knowledge about the state of a running Python script. (CVE-2007-2052)
A flaw was discovered in the Python imageop module. If a script using
the module could be tricked into processing a specially crafted set of
arguments, a remote attacker could execute arbitrary code, or cause the
application to crash. (CVE-2007-4965)
Instructions: After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Red Hat
python off-by-one locale.strxfrm() (possible memory disclosure)
vendor_redhat·2007-04-02·CVSS 5.0
CVE-2007-2052 [MEDIUM] CWE-193 python off-by-one locale.strxfrm() (possible memory disclosure)
python off-by-one locale.strxfrm() (possible memory disclosure)
Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.
Statement: The Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
https://access.redhat.com/security/updates/classification/
No detection rules found.
Bugzilla
CVE-2007-2052 python off-by-one locale.strxfrm() (possible memory disclosure)
bugzilla·2007-04-03·CVSS 5.0
CVE-2007-2052 [MEDIUM] CVE-2007-2052 python off-by-one locale.strxfrm() (possible memory disclosure)
CVE-2007-2052 python off-by-one locale.strxfrm() (possible memory disclosure)
Description of problem:
Modules/_localemodule.c:361
356 n1 = strlen(s) + 1;
357 buf = PyMem_Malloc(n1);
358 if (!buf)
359 return PyErr_NoMemory();
360 n2 = strxfrm(buf, s, n1);
In case the transformed string is longer than original string...
(see the PoC for an exapmle)
361 if (n2 > n1) {
362 /* more space needed */
We allocate n2 bytes here:
363 buf = PyMem_Realloc(buf, n2);
364 if (!buf)
365 return PyErr_NoMemory();
And here the string will be n2 chars long and terminating NUL won't
fit and thus the string won't be terminated what can lead to an
information leak in certain rare cases (see the original Debian report
for details).
366 strxfrm(buf, s, n2);
367 }
368 result = PyString_FromString(buf);
369 P
Bugzilla
CVE-2007-2052 Off-by-one in python's locale.strxfrm()
bugzilla·2007-04-03·CVSS 5.0
CVE-2007-2052 [MEDIUM] CVE-2007-2052 Off-by-one in python's locale.strxfrm()
CVE-2007-2052 Off-by-one in python's locale.strxfrm()
+++ This bug was initially created as a clone of Bug #235093 +++
Description of problem:
Modules/_localemodule.c:361
356 n1 = strlen(s) + 1;
357 buf = PyMem_Malloc(n1);
358 if (!buf)
359 return PyErr_NoMemory();
360 n2 = strxfrm(buf, s, n1);
In case the transformed string is longer than original string...
(see the PoC for an exapmle)
361 if (n2 > n1) {
362 /* more space needed */
We allocate n2 bytes here:
363 buf = PyMem_Realloc(buf, n2);
364 if (!buf)
365 return PyErr_NoMemory();
And here the string will be n2 chars long and terminating NUL won't
fit and thus the string won't be terminated what can lead to an
information leak in certain rare cases (see the original Debian report
for details).
366 strxfrm(buf, s, n2);
367 }
36
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416934http://lists.vmware.com/pipermail/security-announce/2008/000005.htmlhttp://secunia.com/advisories/25190http://secunia.com/advisories/25217http://secunia.com/advisories/25233http://secunia.com/advisories/25353http://secunia.com/advisories/25787http://secunia.com/advisories/28027http://secunia.com/advisories/28050http://secunia.com/advisories/29032http://secunia.com/advisories/29303http://secunia.com/advisories/29889http://secunia.com/advisories/31255http://secunia.com/advisories/31492http://secunia.com/advisories/37471http://www.debian.org/security/2008/dsa-1551http://www.debian.org/security/2008/dsa-1620http://www.mandriva.com/security/advisories?name=MDKSA-2007:099http://www.novell.com/linux/security/advisories/2007_13_sr.htmlhttp://www.python.org/download/releases/2.5.1/NEWS.txthttp://www.redhat.com/support/errata/RHSA-2007-1076.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1077.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0629.htmlhttp://www.securityfocus.com/archive/1/469294/30/6450/threadedhttp://www.securityfocus.com/archive/1/488457/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/23887http://www.trustix.org/errata/2007/0019/http://www.ubuntu.com/usn/usn-585-1http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2007/1465http://www.vupen.com/english/advisories/2008/0637http://www.vupen.com/english/advisories/2009/3316https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235093https://exchange.xforce.ibmcloud.com/vulnerabilities/34060https://issues.rpath.com/browse/RPL-1358https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11716https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8353http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416934http://lists.vmware.com/pipermail/security-announce/2008/000005.htmlhttp://secunia.com/advisories/25190http://secunia.com/advisories/25217http://secunia.com/advisories/25233http://secunia.com/advisories/25353http://secunia.com/advisories/25787http://secunia.com/advisories/28027http://secunia.com/advisories/28050http://secunia.com/advisories/29032http://secunia.com/advisories/29303http://secunia.com/advisories/29889http://secunia.com/advisories/31255http://secunia.com/advisories/31492http://secunia.com/advisories/37471http://www.debian.org/security/2008/dsa-1551http://www.debian.org/security/2008/dsa-1620http://www.mandriva.com/security/advisories?name=MDKSA-2007:099http://www.novell.com/linux/security/advisories/2007_13_sr.htmlhttp://www.python.org/download/releases/2.5.1/NEWS.txthttp://www.redhat.com/support/errata/RHSA-2007-1076.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1077.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0629.htmlhttp://www.securityfocus.com/archive/1/469294/30/6450/threadedhttp://www.securityfocus.com/archive/1/488457/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/23887http://www.trustix.org/errata/2007/0019/http://www.ubuntu.com/usn/usn-585-1http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2007/1465http://www.vupen.com/english/advisories/2008/0637http://www.vupen.com/english/advisories/2009/3316https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235093https://exchange.xforce.ibmcloud.com/vulnerabilities/34060https://issues.rpath.com/browse/RPL-1358https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11716https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8353
2007-04-16
Published