Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 432640 (CVE-2011-4944)

Summary: <dev-lang/python-{2.6.6-r1,2.7.3-r1,3.2.3}: DoS or information disclosure (CVE-2011-4944,CVE-2012-2135)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-08-24 22:43:02 UTC 
CVE-2012-2135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2135):
  The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end
  variable after calling the unicode_decode_call_errorhandler function, which
  allows remote attackers to obtain sensitive information (process memory) or
  cause a denial of service (memory corruption and crash) via unspecified
  vectors.


http://bugs.python.org/issue14579
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-09-10 22:02:42 UTC 
CVE-2011-4944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4944):
  Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions
  before changing them after data has been written, which introduces a race
  condition that allows local users to obtain a username and password by
  reading this file.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 17:16:19 UTC 
2.6: affects <=2.6.5. Nothing vulnerable in tree.
2.7: affects <=2.7.2. Nothing vulnerable in tree.
3.0: irrelevant.
3.1: affects 3.1.5, but that's masked for removal.
3.2: affects =3.2. Nothing vulnerable.
3.3: unaffected.

@security team: worth a GLSA at this point?
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-05 15:46:54 UTC 
(In reply to Chris Reffett from comment #2)
> 2.6: affects <=2.6.5. Nothing vulnerable in tree.
> 2.7: affects <=2.7.2. Nothing vulnerable in tree.
> 3.0: irrelevant.
> 3.1: affects 3.1.5, but that's masked for removal.
> 3.2: affects =3.2. Nothing vulnerable.
> 3.3: unaffected.
> 
> @security team: worth a GLSA at this point?

As you said there is nothing to remove. The p.mask for 3.1.5 is enough.
Comment 4 Sergey Popov gentoo-dev 2014-01-06 22:04:41 UTC 
Covered by GLSA 201401-04

Closing as fixed