Vulnerability CVE-2021-3177: Information

Description

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3177
Published: Jan. 19, 2021
Modified: Nov. 7, 2023
Error type identifier: CWE-120

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pythonsisyphus2.7.18-alt62.7.18-alt11ALT-PU-2021-2420-1281948Fixed
pythonp102.7.18-alt62.7.18-alt10ALT-PU-2021-2478-1282117Fixed
pythonc10f12.7.18-alt62.7.18-alt10ALT-PU-2021-2478-1282117Fixed
python3sisyphus3.9.2-alt13.12.2-alt1ALT-PU-2021-1412-1267062Fixed
python3p103.9.2-alt13.9.18-alt1ALT-PU-2021-1412-1267062Fixed
python3p93.7.11-alt13.7.17-alt1ALT-PU-2021-2653-1273501Fixed
python3c10f13.9.2-alt13.9.18-alt0.c10f1.1ALT-PU-2021-1412-1267062Fixed
python3c9f23.7.17-alt13.7.17-alt1ALT-PU-2024-3474-2342077Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugs.python.org/issue42938
  • Exploit
  • Issue Tracking
  • Patch
  • Vendor Advisory
https://github.com/python/cpython/pull/24239
  • Patch
  • Third Party Advisory
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
  • Patch
  • Third Party Advisory
GLSA-202101-18
  • Third Party Advisory
https://news.ycombinator.com/item?id=26185005
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0003/
  • Third Party Advisory
[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update
  • Mailing List
  • Third Party Advisory
N/A
  • Patch
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
  • Patch
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
  • Patch
  • Third Party Advisory
[debian-lts-announce] 20220212 [SECURITY] [DLA 2919-1] python2.7 security update
  • Mailing List
  • Third Party Advisory
N/A
  • Patch
  • Third Party Advisory
[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update
    FEDORA-2021-faf88b9499
      FEDORA-2021-cc3ff94cfc
        FEDORA-2021-e3a5a74610
          FEDORA-2021-ced31f3f0c
            FEDORA-2021-42ba9feb47
              FEDORA-2021-076a2dccba
                FEDORA-2021-851c6e4e2d
                  FEDORA-2021-66547ff92d
                    FEDORA-2021-17668e344a
                      FEDORA-2021-d5cde50865
                        FEDORA-2021-7547ad987f
                          FEDORA-2021-f4fd9372c7
                            FEDORA-2021-3352c1c802
                              [mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar
                                FEDORA-2021-907f3bacae

                                    1. Configuration 1

                                      cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                      Start including
                                      3.7.0
                                      End including
                                      3.7.9
                                      cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                      Start including
                                      3.9.0
                                      End including
                                      3.9.1
                                      cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                      Start including
                                      3.8.0
                                      End including
                                      3.8.7
                                      cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                      Start including
                                      3.6.0
                                      End including
                                      3.6.12

                                      Configuration 2

                                      cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
                                      cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

                                      Configuration 3

                                      cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
                                      cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
                                      cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

                                      Configuration 4

                                      cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

                                      Configuration 5

                                      cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
                                      cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
                                      cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
                                      cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
                                      cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*
                                  VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                  Version: v24.5.1
                                  Back to top