[issue20440] Use the Py_SETREF macro

[Roundup Robot]

Roundup Robot added the comment:

New changeset 23296440b654 by Serhiy Storchaka in branch '2.7':
Issue #20440: Massive replacing unsafe attribute setting code with special
https://hg.python.org/cpython/rev/23296440b654

New changeset fd36d72f6030 by Serhiy Storchaka in branch '3.5':
Issue #20440: Massive replacing unsafe attribute setting code with special
https://hg.python.org/cpython/rev/fd36d72f6030

New changeset c4e8751ce637 by Serhiy Storchaka in branch 'default':
Issue #20440: Massive replacing unsafe attribute setting code with special
https://hg.python.org/cpython/rev/c4e8751ce637

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue20440] Use the Py_SETREF macro

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

Committed patches were generated with attached Coccinelle script.

--
Added file: http://bugs.python.org/file41401/py_setref.cocci

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue20440] Use the Py_SETREF macro

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

Following patch is manually crafted and covers the rest cases. It also replaces 
existing correct attribute replacing using a temporary variable with more 
compact call of the macro.

--
Added file: http://bugs.python.org/file41402/py_setref_extra.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24103] Use after free in xmlparser_setevents (1)

[Serhiy Storchaka]

Changes by Serhiy Storchaka :


--
dependencies:  -Use the Py_SETREF macro
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24103] Use after free in xmlparser_setevents (1)

[Roundup Robot]

Roundup Robot added the comment:

New changeset deda5b5160d2 by Serhiy Storchaka in branch '2.7':
Issue #24103: Fixed possible use after free in ElementTree.iterparse().
https://hg.python.org/cpython/rev/deda5b5160d2

New changeset ed62cf0cf256 by Serhiy Storchaka in branch '3.5':
Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
https://hg.python.org/cpython/rev/ed62cf0cf256

New changeset 8a14af800f96 by Serhiy Storchaka in branch 'default':
Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
https://hg.python.org/cpython/rev/8a14af800f96

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25933] Unhandled exception (TypeError) with ftplib in function retrbinary/retrlines causes inoperable behavior without crashing

[SilentGhost]

SilentGhost added the comment:

OK, here is the patch with the test that I think is exercising the issue.

--
keywords: +needs review, patch
stage:  -> patch review
Added file: http://bugs.python.org/file41403/issue25933.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue8604] Adding an atomic FS write API

[STINNER Victor]

STINNER Victor added the comment:

This issue is old and different operating systems provide different
warranties on rename. Maybe this project should start as a project on PyPI
to find the best API and catch compatibilitites issues. For example
os.scandir() also started on PyPI.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25909] Incorrect documentation for PyMapping_Items and like

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

Yes, the documentation and comments (and all other mentions if exist) should be 
corrected.

We can also consider the option to change current behavior, since it is already 
differ from 2.x, but this is other issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25812] locale.nl_langinfo() can't decode value

[Serhiy Storchaka]

Changes by Serhiy Storchaka :


--
versions:  -Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue1753718] base64 "legacy" functions violate RFC 3548

[R. David Murray]

R. David Murray added the comment:

That would be a good idea, yes.  I thought Martin was doing that as part of 
issue 22088, but now that I look at the patch I see he didn't.  Martin, do you 
want to add it to that patch, or should I reopen this?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12484] The Py_InitModule functions no longer exist, but remain in the docs

[Anish Shah]

Anish Shah added the comment:

It should be done in a separate issue, right?
Or should I include it in this patch?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12484] The Py_InitModule functions no longer exist, but remain in the docs

[Brett Cannon]

Brett Cannon added the comment:

Please do not document _PyImport_FixupExtensionObject(); documenting the 
internal functions was a mistake.

As for whether _PyImport_FixupExtension() should be in this issue or another 
one, it doesn't matter, Anish; basically whatever is easiest for you if you 
want to do the work.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12484] The Py_InitModule functions no longer exist, but remain in the docs

[Anish Shah]

Anish Shah added the comment:

@brett.cannon Thanks! I have updated the patch. I removed 
"_PyImport_FixupExtension" from docs.

--
Added file: http://bugs.python.org/file41404/issue12484.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12484] The Py_InitModule functions no longer exist, but remain in the docs

[Brett Cannon]

Changes by Brett Cannon :


--
assignee: docs@python -> brett.cannon

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19475] Add timespec optional flag to datetime isoformat() to choose the precision

[Alessandro Cucci]

Alessandro Cucci added the comment:

Can anyone please review the c code of the last patch?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25939] _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe run with low integrity level

[Chi Hsuan Yen]

New submission from Chi Hsuan Yen:

Originally reported at https://github.com/rg3/youtube-dl/issues/7951

Steps to reproduce:
1. Build 99665:dcf9e9ae5393 with Visual Studio 2015
2. Download and extract PsTools [1]
3. PsExec.exe -l python.exe
4. In Python, run:

import _ssl
_ssl.enum_certificates("CA")
_ssl.enum_crls("CA")

Results:
Python 3.6.0a0 (default, Dec 25 2015, 02:42:42) [MSC v.1900 32 bit (Intel)] on 
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl.enum_certificates("CA")
Traceback (most recent call last):
  File "", line 1, in 
PermissionError: [WinError 5] Access is denied
>>> _ssl.enum_crls("CA")
Traceback (most recent call last):
  File "", line 1, in 
PermissionError: [WinError 5] Access is denied
>>>

Windows Vista and above have a security mechanism called "Low Integrity Level". 
[2] With that, only some specific registry keys are writable. In the original 
_ssl.c, both enum_certificates() and enum_crls() calls CertOpenSystemStore(). 
At least on my system CertOpenSystemStore() tries to open 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA with read/write 
permissions. (Observed with Process Monitor [3]) The request fails in Low 
Integrity Level processes as it's not in the range of writable registry keys.

Here I propose a fix: open certificate stores with the read-only flag. There 
are some points I'm not sure in this patch:
1. CERT_STORE_PROV_SYSTEM_A: I guess strings are bytestrings in C level?
2. CERT_SYSTEM_STORE_LOCAL_MACHINE: In accounts of Administrators, 
CertOpenSystemStore() tries to open keys under HKLM only, while in restricted 
(standard) accounts, this function tries to open keys under HKCU with R/W 
permission and keys under HKLM read-only. I think open system global stores is 
OK here.
A different perspective: Wine developers always open keys under HKCU in 
CertOpenSystemStore()

Environment: Windows 7 SP1 (6.1.7601) x86, an account in Administrators group. 
Tested with python.exe Lib\test\test_ssl.py both in a normal shell and within 
`PsExec -l`

Ref: issue17134, where these codes appear the first time

[1] https://technet.microsoft.com/en-us/sysinternals/pstools.aspx
[2] https://msdn.microsoft.com/en-us/library/bb625960.aspx
[3] https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
[4] https://github.com/wine-mirror/wine/blob/master/dlls/crypt32/store.c

--
components: Extension Modules, Windows
files: open-system-store-readonly.patch
keywords: patch
messages: 256968
nosy: Chi Hsuan Yen, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe 
run with low integrity level
type: crash
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41405/open-system-store-readonly.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25940] SSL tests failed due to expired svn.python.org SSL certificate

[Chi Hsuan Yen]

New submission from Chi Hsuan Yen:

The certificate of svn.python.org expires at Thu 24 Dec 2015 08:28:32 PM CST 
GMT, about 20 minutes ago. Please update its certificate or lots of tests in 
Lib\test\test_ssl.py fails with SSL: CERTIFICATE_VERIFY_FAILED.

--
components: Tests
messages: 256969
nosy: Chi Hsuan Yen
priority: normal
severity: normal
status: open
title: SSL tests failed due to expired svn.python.org SSL certificate
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25941] Add 'How to Review a Patch' section to devguide

[Camilla Montonen]

New submission from Camilla Montonen:

This list is based on helpful tips and discussions received on the 
core-mentorship list and aims to help new beginners review patches in the bug 
tracker. The submitted patch is still in progress (the layout is a bit wonky 
and some details are still missing).

--
components: Devguide
files: patchreview.patch
keywords: patch
messages: 256970
nosy: Winterflower, ezio.melotti, willingc
priority: normal
severity: normal
status: open
title: Add 'How to Review a Patch' section to devguide
Added file: http://bugs.python.org/file41406/patchreview.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25941] Add 'How to Review a Patch' section to devguide

[Terry J. Reedy]

Changes by Terry J. Reedy :


--
nosy: +terry.reedy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25939] _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe run with low integrity level

[Steve Dower]

Steve Dower added the comment:

Looks good to me.

Is it worth dropping psexec.exe into the test suite so we can add a test for 
this (or maybe into tools so we can run it from a build without redistributing 
the exe)? It'll probably be helpful elsewhere too (symlink tests, for example).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25939] _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe run with low integrity level

[Eryk Sun]

Eryk Sun added the comment:

psexec.exe can be run from the the live server.

>>> subprocess.call(r'\\live.sysinternals.com\tools\psexec.exe -s whoami')

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


nt authority\system
whoami exited on THISPC with error code 0.
0

But the executable could also be cached on the test system.

--
nosy: +eryksun

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25942] subprocess.call SIGKILLs too liberally

[Mike Pomraning]

New submission from Mike Pomraning:

Python 3.3 introduces timeout support in subprocess.call, implemented by 
sending a SIGKILL if the Popen.wait is interrupted by a TimeoutExpired 
exception.

However, the "except" clause is too broad, and will, for instance, trigger on a 
KeyboardInterrupt.  For practical purposes, this means that sending a Ctrl-C to 
a python program before 3.3 sent a SIGINT to both the parent and 
subprocess.call()d child, whereas under 3.3+ sends a SIGINT _and_ a SIGKILL to 
the child.  The child will not be able to clean up appropriately.

For a real world example of this, see http://stackoverflow.com/q/34458583/132382

The fix is, I think, simply changing the clause to "except TimeoutExpired".  At 
least, that works for me.  See attached patch.

--
components: Library (Lib)
files: subprocess-call-py344-kill-only-on-timeout.patch
keywords: patch
messages: 256973
nosy: Mike Pomraning
priority: normal
severity: normal
status: open
title: subprocess.call SIGKILLs too liberally
type: behavior
versions: Python 3.3
Added file: 
http://bugs.python.org/file41407/subprocess-call-py344-kill-only-on-timeout.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25943] Integer overflow in _bsddb leads to heap corruption

[Ned Williamson]

New submission from Ned Williamson:

In function `_db_associateCallback` of the `_bsddb` module, associating two 
databases with a callback that returns a sufficiently large list will lead to 
heap corruption due an integer overflow on 32-bit Python.

>From `_bsddb.c`:
```
else if (PyList_Check(result))
{
char* data;
Py_ssize_t size;
int i, listlen;
DBT* dbts;

listlen = PyList_Size(result);

1.  dbts = (DBT *)malloc(sizeof(DBT) * listlen); ///sizeof(DBT) == 28 on my 
system, enough to overflow

2.  for (i=0; iassociate callback should be a list of strings.");
#else
"The list returned by DB->associate callback should be a list of bytes.");
#endif
PyErr_Print();
}

PyBytes_AsStringAndSize(
PyList_GetItem(result, i),
3.  &data, &size);

CLEAR_DBT(dbts[i]);
4.  dbts[i].data = malloc(size);  /* TODO, check this */

if (dbts[i].data)
{
5.  memcpy(dbts[i].data, data, size);
dbts[i].size = size;
dbts[i].ulen = dbts[i].size;
dbts[i].flags = DB_DBT_APPMALLOC;  /* DB will free */
}
else
{
PyErr_SetString(PyExc_MemoryError,
"malloc failed in _db_associateCallback (list)");
PyErr_Print();
}
}

CLEAR_DBT(*secKey);

secKey->data = dbts;
secKey->size = listlen;
secKey->flags = DB_DBT_APPMALLOC | DB_DBT_MULTIPLE;
retval = 0;
}
```

1. The multiplication in this line can overflow, allocating an undersized 
buffer.
2. This loop does not suffer from the overflow, so it can corrupt the heap by 
writing user data (see 3. and 5.).

This bug is present in Python 2.7.11.

See the result of running my attached POC script:
```
(gdb) r vuln.py
Starting program: /vagrant/Python-2.7.11/python.exe vuln.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
python.exe: malloc.c:2372: sysmalloc: Assertion `(old_top == (((mbinptr) 
(((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct 
malloc_chunk, fd && old_size == 0) || ((unsigned long) (old_size) >= 
(unsigned long)__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 
*(sizeof(size_t))) - 1)) & ~((2 *(sizeof(size_t))) - 1))) && ((old_top)->size & 
0x1) && ((unsigned long) old_end & pagemask) == 0)' failed.

Program received signal SIGABRT, Aborted.
0xb7fdd428 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fdd428 in __kernel_vsyscall ()
#1  0xb7de6607 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xb7de9a33 in __GI_abort () at abort.c:89
#3  0xb7e2a9dd in __malloc_assert (
assertion=assertion@entry=0xb7f1e3c0 "(old_top == (((mbinptr) (((char *) 
&((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd 
&& old_size == 0) || ((unsigned long) (old_size) >= (unsigned 
long)__builtin_offs"...,
file=file@entry=0xb7f19954 "malloc.c", line=line@entry=2372,
function=function@entry=0xb7f19ce5 <__func__.10915> "sysmalloc") at 
malloc.c:293
#4  0xb7e2d5eb in sysmalloc (av=0xb7f62420 , nb=16) at malloc.c:2369
#5  _int_malloc (av=av@entry=0xb7f62420 , bytes=bytes@entry=1) at 
malloc.c:3800
#6  0xb7e2e708 in __GI___libc_malloc (bytes=1) at malloc.c:2891
#7  0xb7b006b2 in _db_associateCallback (db=0x82a7dd0, priKey=0xb228, 
priData=0xb034, secKey=0x8291a80)
at /vagrant/Python-2.7.11/Modules/_bsddb.c:1531
...
```
We can see that the `malloc` call on the line marked (4.) fails due to 
corrupted heap structures.
Also, running the script outside of GDB leads to a different message because of 
differences in heap layout:
```
vagrant@vagrant-ubuntu-trusty-32:/vagrant/Python-2.7.11$ ./python.exe vuln.py
*** Error in `python': corrupted double-linked list: 0x099e9858 ***
Aborted (core dumped)
```

This vulnerability can be fixed by checking for the overflow before the call to 
malloc. Also, note that the PyBytes_Check check does not exit the function, but 
PyBytesAsStringAndSize is called immediately afterwards. I would recommend 
breaking or continuing if that check fails, although I do think 
PyBytesAsStringAndSize performs this check as well.

--
components: Library (Lib)
files: bsddbpoc.py
messages: 256974
nosy: Ned Williamson
priority: normal
severity: normal
status: open
title: Integer overflow in _bsddb leads to heap corruption
type: crash
versions: Python 2.7
Added file: http://bugs.python.org/file41408/bsddbpoc.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

[Ned Williamson]

New submission from Ned Williamson:

static PyObject *
partial_setstate(partialobject *pto, PyObject *state)
{
PyObject *fn, *fnargs, *kw, *dict;
if (!PyArg_ParseTuple(state, "",
  &fn, &fnargs, &kw, &dict))
return NULL;
Py_XDECREF(pto->fn);
Py_XDECREF(pto->args);
Py_XDECREF(pto->kw);
Py_XDECREF(pto->dict);
pto->fn = fn;
pto->args = fnargs; //we control pto->args here

`partial_setstate` performs no checks on the objects
it is passed as an argument.

static PyObject *
partial_repr(partialobject *pto)
{
PyObject *result;
PyObject *arglist;
PyObject *tmp;
Py_ssize_t i, n;
arglist = PyUnicode_FromString("");
if (arglist == NULL) {
return NULL;
}
/* Pack positional arguments */
assert (PyTuple_Check(pto->args)); //not compiled in release build
n = PyTuple_GET_SIZE(pto->args);
for (i = 0; i < n; i++) {
tmp = PyUnicode_FromFormat("%U, %R", arglist,
   PyTuple_GET_ITEM(pto->args, i));

In partial_repr, `pto->args` is assumed to be a tuple and
unsafe functions `PyTuple_GET_SIZE` and `PyTuple_GET_ITEM`
are called on `pto->args`. This bug is particularly bad
because `PyUnicode_FromFormat` will call the object's repr
function. In this case, the attacker gains complete control
over the program counter.

vagrant@vagrant-ubuntu-wily-64:/vagrant/Python-3.5.1$ gdb -q ./python.exe
...
(gdb) r partialpoc.py
Starting program: /vagrant/Python-3.5.1/python.exe partialpoc.py
...
Program received signal SIGSEGV, Segmentation fault.
0x004851f6 in PyObject_Repr (v=0x972c90) at Objects/object.c:482
482 res = (*v->ob_type->tp_repr)(v);
(gdb) i r
rax0x4141414141414141   4702111234474983745
rbx0x972c90 9907344
rcx0x52 82
rdx0x77026718   140737337517848
rsi0x0  0
rdi0x972c90 9907344
rbp0x6667   0x6667
rsp0x7fffdb60   0x7fffdb60
r8 0x0  0
r9 0x6049a8 6310312
r100x   -1
r110x   -1
r120x7fff   9223372036854775807
r130x7fffdbe0   140737488346080
r140x6049a7 6310311
r150x0  0
rip0x4851f6 0x4851f6 
eflags 0x10206  [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
(gdb) x/3i $pc
=> 0x4851f6 : callq  *%rax
   0x4851f8 : test   %rax,%rax
   0x4851fb : mov%rax,%rbx

Please see the attached POC.

--
components: Library (Lib)
files: partialpoc.py
messages: 256975
nosy: Ned Williamson
priority: normal
severity: normal
status: open
title: Type confusion in partial_setstate and partial_repr leads to control 
flow hijack
type: crash
versions: Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41409/partialpoc.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25945] Type confusion in partial_setstate and partial_call leads to memory corruption

[Ned Williamson]

New submission from Ned Williamson:

static PyObject *
partial_setstate(partialobject *pto, PyObject *state)
{
PyObject *fn, *fnargs, *kw, *dict;
if (!PyArg_ParseTuple(state, "",
  &fn, &fnargs, &kw, &dict))
return NULL;
Py_XDECREF(pto->fn);
Py_XDECREF(pto->args);
Py_XDECREF(pto->kw);
Py_XDECREF(pto->dict);
pto->fn = fn;
pto->args = fnargs; //we control pto->args here

`partial_setstate` performs no checks on the objects
it is passed as an argument.

static PyObject *
partial_call(partialobject *pto, PyObject *args, PyObject *kw)
{
PyObject *ret;
PyObject *argappl = NULL, *kwappl = NULL;

assert (PyCallable_Check(pto->fn));
assert (PyTuple_Check(pto->args)); //assume pto->args is a tuple
   //assertion not present in release build
assert (pto->kw == Py_None  ||  PyDict_Check(pto->kw));

if (PyTuple_GET_SIZE(pto->args) == 0) {
argappl = args;
Py_INCREF(args);
} else if (PyTuple_GET_SIZE(args) == 0) {
argappl = pto->args; //partial function called with no arguments
Py_INCREF(pto->args);
} else {
argappl = PySequence_Concat(pto->args, args);
if (argappl == NULL)
return NULL;
}

if (pto->kw == Py_None) {
kwappl = kw;
Py_XINCREF(kw);
} else {
kwappl = PyDict_Copy(pto->kw);
if (kwappl == NULL) {
Py_DECREF(argappl);
return NULL;
}
if (kw != NULL) {
if (PyDict_Merge(kwappl, kw, 1) != 0) {
Py_DECREF(argappl);
Py_DECREF(kwappl);
return NULL;
}
}
}
ret = PyObject_Call(pto->fn, argappl, kwappl); //pto->fn called with 
non-tuple argappl

We can see that in the provided POC there is an increment on a user-controlled 
address (in this case, the literal refcount of a given "argument" is 
interpreted as a pointer), as `_PyEval_EvalCodeWithName` does not validate the 
type of `PyObject **args` either (I assume this is a fair assumption for 
`_PyEval_EvalCodeWithName`, and the bug simply lies in the unsafe partial code.

vagrant@vagrant-ubuntu-wily-64:/vagrant/Python-3.5.1$ gdb -q ./python.exe
...
(gdb) r partialpoc2.py
Starting program: /vagrant/Python-3.5.1/python.exe partialpoc2.py
...
Program received signal SIGSEGV, Segmentation fault.
_PyEval_EvalCodeWithName (_co=0x77045ae0, globals=, 
locals=locals@entry=0x0, args=args@entry=0x76fbc520, argcount=1280, 
kws=kws@entry=0x0, kwcount=0, defs=0x0, defcount=0,
kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0) at Python/ceval.c:3793
3793Py_INCREF(x);
(gdb) i r
rax0x9b4b68 10177384
rbx0x76fbc520   140737337083168
rcx0x1  1
rdx0x2  2
rsi0x5001280
rdi0x0  0
rbp0x0  0x0
rsp0x7fffdb30   0x7fffdb30
r8 0x5001280
r9 0x0  0
r100x774a6c58   140737342237784
r110x9b4b40 10177344
r120x0  0
r130x0  0
r140x76fb91e0   140737337070048
r150x77e1a048   140737352147016
rip0x4fc771 0x4fc771 <_PyEval_EvalCodeWithName+961>
eflags 0x10202  [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
(gdb) x/3i $pc
=> 0x4fc771 <_PyEval_EvalCodeWithName+961>: addq   $0x1,(%rsi)
   0x4fc775 <_PyEval_EvalCodeWithName+965>: cmp%edx,%r8d
   0x4fc778 <_PyEval_EvalCodeWithName+968>: mov%rsi,0x18(%rax,%rcx,8)

--
files: partialpoc2.py
messages: 256976
nosy: Ned Williamson
priority: normal
severity: normal
status: open
title: Type confusion in partial_setstate and partial_call leads to memory 
corruption
type: crash
versions: Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41410/partialpoc2.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25945] Type confusion in partial_setstate and partial_call leads to memory corruption

[Ned Williamson]

Changes by Ned Williamson :


--
components: +Library (Lib)

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25946] configure should pick /usr/bin/g++ automatically if present

[Karl Richter]

New submission from Karl Richter:

`./configure` both prints `checking for g++... no` and 

WARNING:

  By default, distutils will build C++ extension modules with "g++".
  If this is not intended, then set CXX on the configure command line.

if `/usr/bin/g++` is present and executable which doesn't seem to be 
constructive because it's quite common that one wants to use `/usr/bin/g++` as 
CXX compiler if available. In case incompatibilities exists with other C++ 
compilers there should a check and more detailed error message.

Furthermore the error message doesn't explain if a part of distutils won't be 
build because the message sounds like the C++ extension is built, but does it 
work without a C++ compiler?

Specifying `CXX` environment variable or `--with-cxx-main=/usr/bin/g++` 
`configure` option works fine.

experienced with 8a2e735 (on branch 2.7)

--
components: Build
messages: 256977
nosy: krichter
priority: normal
severity: normal
status: open
title: configure should pick /usr/bin/g++ automatically if present
versions: Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25939] _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe run with low integrity level

[Chi Hsuan Yen]

Chi Hsuan Yen added the comment:

PsExec.exe seems not redistributable. PAExec is an alternative but I've not 
tried it. [1] Another option is re-implementing a tiny program for lowering the 
integrity level based on example codes provided in [2], which I've not tried 
yet, either. The latter option seems better to me as I didn't find codes for 
lowering the integrity level in PAExec's source code. [3]

[1] https://www.poweradmin.com/paexec/
[2] https://msdn.microsoft.com/en-us/library/bb625960.aspx
[3] https://github.com/poweradminllc/PAExec

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25939] _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe run with low integrity level

[Chi Hsuan Yen]

Chi Hsuan Yen added the comment:

OK I've just succeeded in creating a low integrity level process with my own 
codes. Now the problem is: how can I integrate this tool into the test system? 
Seems the integrity level is per-process, while all tests are run in the same 
process.

--
Added file: http://bugs.python.org/file41411/lower_integrity_level.c

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25945] Type confusion in partial_setstate and partial_call leads to memory corruption

[Serhiy Storchaka]

Changes by Serhiy Storchaka :


--
assignee:  -> serhiy.storchaka
components: +Extension Modules -Library (Lib)
nosy: +ncoghlan, rhettinger, serhiy.storchaka
stage:  -> needs patch
versions: +Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com