Gentoo Bug 217221 - dev-lang/python <2.4.4-r10 Buffer overflow in zlib extension (CVE-2008-{1721,1887})

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	217221
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Hanno Boeck <hanno@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 217221 depends on:	216673		Show dependency tree
Bug 217221 blocks:	218469		Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-04-10 21:33 0000

See here, 2.5.2 and all versions below probably affected:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1721

------- Comment #1 From Ali Polatel (RETIRED) 2008-04-18 14:31:15 0000 -------

+*python-2.5.2 (18 Apr 2008)
+*python-2.4.4-r10 (18 Apr 2008)
+*python-2.3.6-r5 (18 Apr 2008)
+
+  18 Apr 2008; Ali Polatel <hawking@gentoo.org> +python-2.3.6-r5.ebuild,
+  +python-2.4.4-r10.ebuild, +python-2.5.2.ebuild:
+  Version bumps. Updated patchsets to fix buffer overflow in zlib extension
+  (CVE-2008-1721) bug 217221 and unsafe PyString_FromStringAndSize(). Added
+  patch by Mark Peloquin for distutils to respect CXXFLAGS, bug 145206. Add
+  wininst USE flag to conditionally install MS Windows executables, bug
+  198021. Use EAPI=1, rename nothreads and nocxx USE flags to threads and
+  cxx.
+

Updated versions have the fix included.
A note for testers please check if the pocs attached on upstream bug raise
ValueError instead of dumping core :)

------- Comment #2 From Robert Buchholz 2008-04-20 15:52:29 0000 -------

The "PyString_FromStringAndSize()" is CVE-2008-1887.

Ali, can you also address bug 216673 before we stable?

------- Comment #3 From Robert Buchholz 2008-04-27 11:14:36 0000 -------

hawking, I read your comment about dropping python 2.3. When exactly do you
plan to do that?

------- Comment #4 From Tobias Heinlein 2008-07-03 14:20:21 0000 -------

GLSA 200807-01

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 217221

dev-lang/python <2.4.4-r10 Buffer overflow in zlib extension (CVE-2008-{1721,1887})

Last modified: 2008-07-03 14:20:21 0000