First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 232137
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
python-2.4.4-CVE-2008-3144.patch python-2.4.4-CVE-2008-3144.patch patch Robert Buchholz 2008-07-18 02:26 0000 1.82 KB Details | Diff
python-2.4.4-CVE-2008-3142.patch python-2.4.4-CVE-2008-3142.patch patch Robert Buchholz 2008-07-28 20:22 0000 7.49 KB Details | Diff
python-2.4.4-CVE-2008-3143.patch python-2.4.4-CVE-2008-3143.patch patch Robert Buchholz 2008-07-28 20:22 0000 28.64 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 232137 depends on: Show dependency tree
Bug 232137 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-07-18 01:46 0000 
Three issues in Python have been reported:

=============================================================
CVE-2008-3142
Justin Ferguson: Multiple buffer overflows in unicode processing

The unicode_resize() function acts essentially as a wrapper to
realloc(), it accomplishes this via the PyMem_RESIZE() macro which
factors the size with the size of the type, in this case it multiplies
by two as Py_UNICODE is typedef'd to a wchar_t. When resizing large
strings, this results in an incorrect allocation that in turn leads to
buffer overflow.

Bug: http://bugs.python.org/issue2620
Proposed patch: http://bugs.python.org/file10825/issue2620-gps02-patch.txt

Only affects 32 bit systems.

=============================================================
CVE-2008-3143
"Google integer overflows"

Added checks for integer overflows, contributed by Google. Some are
only available if asserts are left in the code, in cases where they
can't be triggered from Python code.

http://svn.python.org/view?rev=60793&view=rev

Fixes are in 2.5.2.

=============================================================
CVE-2008-3144
Justin Ferguson PyOS integer underflow/overflow

Fix potential integer underflow and overflow conditions in
the PyOS_vsnprintf C API function.

This is a backport of r63728 and r63734 from trunk.
http://svn.python.org/view?rev=63883&view=rev

Fix issue2589: there was a potential integer overflow leading to
memory corruption on esoteric platforms and incorrect behavior on
normal platforms.
http://bugs.python.org/issue2589
http://svn.python.org/view?rev=63728&view=rev

Fix issue2588: Do not execute str[size-1] = '\0' when a 0 size is
passed in.  (The assert won't prevent this in non-debug builds).
http://svn.python.org/view?rev=63734&view=rev
http://bugs.python.org/issue2588

------- Comment #1 From Robert Buchholz 2008-07-18 02:26:26 0000 ------- 
Created an attachment (id=160679) [details]
python-2.4.4-CVE-2008-3144.patch

------- Comment #2 From Robert Buchholz 2008-07-28 20:22:11 0000 ------- 
Created an attachment (id=161577) [details]
python-2.4.4-CVE-2008-3142.patch

------- Comment #3 From Robert Buchholz 2008-07-28 20:22:25 0000 ------- 
Created an attachment (id=161579) [details]
python-2.4.4-CVE-2008-3143.patch

------- Comment #4 From Tiziano Müller 2008-07-31 13:56:46 0000 ------- 
Fixed together with the patches from bug #230640

------- Comment #5 From Robert Buchholz 2008-07-31 23:34:27 0000 ------- 
GLSA 200807-16
First Last Prev Next    No search results available      Search page      Enter new bug