Matplotlib Buffer Overflow Vulnerability Allowing Heap Memory Manipulation

A buffer overflow vulnerability has been identified in Matplotlib versions prior to the upstream commit ba4016014cb4fb4927e36ce8ea429fed47dcb787. The vulnerability arises in the 'src/mplutils.cpp' file, where the Printf constructor improperly handles format strings, leading to a heap-based buffer overflow. This issue can be exploited through several Python-exposed functions that call Printf, with the ft2font.FT2Font constructor being the most straightforward entry point.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to arbitrary memory manipulation. Such heap overflows can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by importing the 'ft2font' module from Matplotlib and using the 'FT2Font' constructor with a string that is 2048 bytes long. This action triggers a buffer overflow, as the constructor's format string handling allows for the overflow of a 1024-byte buffer, leading to a memory corruption error.

Remediation

Users can upgrade to Matplotlib versions 1.4.2-3.1 or 1.4.3~rc1-1 to address this vulnerability.