Potential Risk of CVE

Perhaps the IoT world should be vigilant – CVE-2021-3177 (26th Jan 2021)

Leave a comment

Preface: On macOS, dynamic-link libraries are known as dylib files. This is the equivalent to a DLL on Windows and
a shared library (or .so library) on Linux.

Background: ctypes is a foreign function library for Python. It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python.

Design objective: Calling C++ libraries from Python allows the developer to build an application that takes advantage of the best of Python and C++. The result is an application that combines both speed and simplicity.

Vulnerability details: There’s a buffer overflow in the ctypes PyCArg_repr() function. (Disclosure date: 2021-01-16)

Design weakness: There’s a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of specify sprintf() function.

CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3177

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.