Input validation error in Python

1) Input validation error

EUVDB-ID: #VU43725

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-2135

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Python: 3.1 - 3.3

CPE2.3

• cpe:2.3:a:python_org:python:3.1:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:*:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.1.5:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.2:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.2.2150:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.3:*:*:*:*:*:*:*

External links

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670389
https://bugs.python.org/issue14579
https://secunia.com/advisories/51087
https://secunia.com/advisories/51089
https://www.openwall.com/lists/oss-security/2012/04/25/2
https://www.openwall.com/lists/oss-security/2012/04/25/4
https://www.ubuntu.com/usn/USN-1615-1
https://www.ubuntu.com/usn/USN-1616-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.