Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217221 - dev-lang/python <2.4.4-r10 Buffer overflow in zlib extension (CVE-2008-{1721,1887})
Summary: dev-lang/python <2.4.4-r10 Buffer overflow in zlib extension (CVE-2008-{1721,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.python.org/issue2586
Whiteboard: A2 [glsa]
Keywords:
Depends on: CVE-2008-1679
Blocks: 218469
  Show dependency tree
 
Reported: 2008-04-10 21:33 UTC by Hanno Böck
Modified: 2008-07-03 14:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-04-10 21:33:02 UTC
See here, 2.5.2 and all versions below probably affected:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1721
Comment 1 Ali Polatel (RETIRED) gentoo-dev 2008-04-18 14:31:15 UTC
+*python-2.5.2 (18 Apr 2008)
+*python-2.4.4-r10 (18 Apr 2008)
+*python-2.3.6-r5 (18 Apr 2008)
+
+  18 Apr 2008; Ali Polatel <hawking@gentoo.org> +python-2.3.6-r5.ebuild,
+  +python-2.4.4-r10.ebuild, +python-2.5.2.ebuild:
+  Version bumps. Updated patchsets to fix buffer overflow in zlib extension
+  (CVE-2008-1721) bug 217221 and unsafe PyString_FromStringAndSize(). Added
+  patch by Mark Peloquin for distutils to respect CXXFLAGS, bug 145206. Add
+  wininst USE flag to conditionally install MS Windows executables, bug
+  198021. Use EAPI=1, rename nothreads and nocxx USE flags to threads and
+  cxx.
+

Updated versions have the fix included.
A note for testers please check if the pocs attached on upstream bug raise
ValueError instead of dumping core :) 
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-20 15:52:29 UTC
The "PyString_FromStringAndSize()" is CVE-2008-1887.

Ali, can you also address bug 216673 before we stable?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-27 11:14:36 UTC
hawking, I read your comment about dropping python 2.3. When exactly do you plan to do that?
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-03 14:20:21 UTC
GLSA 200807-01