CentOS 6.4
Ubuntu 14.04
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-4965/Python-2.2.tgz
tar -xvf Python-2.2.tgz
cd Python-2.2/
./configure
make
./Python-2.2/python 30592.py
Python 2.2 ImageOP Module - Multiple Integer Overflow Vulnerabilities
Modules/imageop.c
imageop_tovideo(PyObject* args) {
int maxx, maxy, x, y, len;
unsigned char* cp, *ncp;
PyArg_Parse(args, "(s#iii)", &cp, &len, &width, &maxx, &maxy); // get arguments from args
if ( maxx*maxy*width != len ) { // PoC has to guarantee this constraints
return;
}
rv = PyString_FromStringAndSize(NULL, len);
ncp = (unsigned char*)PyString_AsString(rv); // len has to be smaller than maxx to overflow heap buffer
memcpy(ncp, cp, maxx); // heap Overflow here
#0 PyString_AsString (op=0x5093ad9) at Objects/stringobject.c:538
#1 0x080a0190 in tb_printinternal (v=0xb7e004a4, f=0x810f8b8) at Python/traceback.c:245
#2 PyTraceBack_Print (v=0xb7e004a4, f=0x810f8b8) at Python/traceback.c:279
#3 0x0809b79a in PyErr_Display (exception=0x8119e8c, value=0xb7e0055c, tb=0xb7e004a4) at Python/pythonrun.c:925
#4 0x0809eb61 in sys_excepthook (self=0x0, args=0x8112b24) at Python/sysmodule.c:121
#5 0x080b1587 in PyObject_Call (func=0x810f2b0, arg=0x8112b24, kw=0x0) at Objects/abstract.c:1665
#6 0x08079618 in PyEval_CallObjectWithKeywords (func=0x810f2b0, arg=0x8112b24, kw=0x0) at Python/ceval.c:3038
#7 0x0809c7b4 in PyErr_PrintEx (set_sys_last_vars=1) at Python/pythonrun.c:883
#8 0x0809d873 in PyRun_SimpleFileExFlags (fp=<value optimized out>, filename=0xbffff83a "30592.py", closeit=1,
flags=0xbffff5ec) at Python/pythonrun.c:693
#9 0x0805360d in Py_Main (argc=2, argv=0xbffff6d4) at Modules/main.c:369
#10 0x08052f2b in main (argc=2, argv=0xbffff6d4) at Modules/python.c:10
[1] Python Issue