CVE-2017-1000158: Buffer Overflow
First published: Fri Nov 17 2017(Updated: )
CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/python2.7 | 2.7.16-2+deb10u1 2.7.16-2+deb10u3 2.7.18-8+deb11u1 | |
| Python 2.7 | <2.7.15 | |
| Python 2.7 | >=3.4.0<3.4.8 | |
| Python 2.7 | >=3.5.0<3.5.5 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.python.org/issue30657
- https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
- https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42
- https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9
- https://security-tracker.debian.org/tracker/CVE-2017-1000158
- http://www.securitytracker.com/id/1039890
- https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html
- https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html
- https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
- https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
- https://security.gentoo.org/glsa/201805-02
- https://security.netapp.com/advisory/ntap-20230216-0001/
- https://www.debian.org/security/2018/dsa-4307
Frequently Asked Questions
What is the severity of CVE-2017-1000158?
CVE-2017-1000158 has a high severity rating due to the potential for a heap-based buffer overflow and arbitrary code execution.
How do I fix CVE-2017-1000158?
To fix CVE-2017-1000158, upgrade to Python versions 2.7.16 or higher.
What versions of Python are affected by CVE-2017-1000158?
Python versions up to 2.7.13, as well as certain versions from 3.4.0 to 3.4.8 and from 3.5.0 to 3.5.5, are affected by CVE-2017-1000158.
What impact does CVE-2017-1000158 have on my systems?
The impact of CVE-2017-1000158 includes possible arbitrary code execution due to an integer overflow vulnerability.
Is CVE-2017-1000158 exploitable remotely?
Yes, CVE-2017-1000158 is considered exploitable remotely if an attacker can send specially crafted input to the affected application.
- collector/security-tracker-debian
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/remedy
- agent/author
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/python
- canonical/python 2.7
- version/python 2.7/3.4.0
- version/python 2.7/3.5.0
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- version/debian linux/9.0