Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 217221

Summary: dev-lang/python <2.4.4-r10 Buffer overflow in zlib extension (CVE-2008-{1721,1887})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: Jimmy.Jazz, python, security
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.python.org/issue2586
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 216673    
Bug Blocks: 218469    

Description Hanno Böck gentoo-dev 2008-04-10 21:33:02 UTC
See here, 2.5.2 and all versions below probably affected:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1721
Comment 1 Ali Polatel (RETIRED) gentoo-dev 2008-04-18 14:31:15 UTC
+*python-2.5.2 (18 Apr 2008)
+*python-2.4.4-r10 (18 Apr 2008)
+*python-2.3.6-r5 (18 Apr 2008)
+
+  18 Apr 2008; Ali Polatel <hawking@gentoo.org> +python-2.3.6-r5.ebuild,
+  +python-2.4.4-r10.ebuild, +python-2.5.2.ebuild:
+  Version bumps. Updated patchsets to fix buffer overflow in zlib extension
+  (CVE-2008-1721) bug 217221 and unsafe PyString_FromStringAndSize(). Added
+  patch by Mark Peloquin for distutils to respect CXXFLAGS, bug 145206. Add
+  wininst USE flag to conditionally install MS Windows executables, bug
+  198021. Use EAPI=1, rename nothreads and nocxx USE flags to threads and
+  cxx.
+

Updated versions have the fix included.
A note for testers please check if the pocs attached on upstream bug raise
ValueError instead of dumping core :) 
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-20 15:52:29 UTC
The "PyString_FromStringAndSize()" is CVE-2008-1887.

Ali, can you also address bug 216673 before we stable?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-27 11:14:36 UTC
hawking, I read your comment about dropping python 2.3. When exactly do you plan to do that?
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-03 14:20:21 UTC
GLSA 200807-01