| Summary: | dev-lang/python <2.4.4-r10 Buffer overflow in zlib extension (CVE-2008-{1721,1887}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | Jimmy.Jazz, python, security |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.python.org/issue2586 | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 216673 | ||
| Bug Blocks: | 218469 | ||
|
Description
Hanno Böck
2008-04-10 21:33:02 UTC
+*python-2.5.2 (18 Apr 2008) +*python-2.4.4-r10 (18 Apr 2008) +*python-2.3.6-r5 (18 Apr 2008) + + 18 Apr 2008; Ali Polatel <hawking@gentoo.org> +python-2.3.6-r5.ebuild, + +python-2.4.4-r10.ebuild, +python-2.5.2.ebuild: + Version bumps. Updated patchsets to fix buffer overflow in zlib extension + (CVE-2008-1721) bug 217221 and unsafe PyString_FromStringAndSize(). Added + patch by Mark Peloquin for distutils to respect CXXFLAGS, bug 145206. Add + wininst USE flag to conditionally install MS Windows executables, bug + 198021. Use EAPI=1, rename nothreads and nocxx USE flags to threads and + cxx. + Updated versions have the fix included. A note for testers please check if the pocs attached on upstream bug raise ValueError instead of dumping core :) The "PyString_FromStringAndSize()" is CVE-2008-1887. Ali, can you also address bug 216673 before we stable? hawking, I read your comment about dropping python 2.3. When exactly do you plan to do that? GLSA 200807-01 |