Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 503348

Summary: Critical remote execution vulnerability in python
Product: Gentoo Security Reporter: Daniel Bradshaw <daniel+gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: critical    
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Daniel Bradshaw 2014-03-03 19:00:11 UTC 
There is a buffer overflow in socket.recvfrom_into that permits arbitrary remote code execution.  There is also a known exploit published for this issue.
Given how trivial it is to exploit this from the network, as a completely unauthenticated party, the flaw is fairly critical.

Affected versions are reported as:
  Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1
So that's everything currently in the tree.

Could we have the appropriate package bumps pushed ASAP?

Upstream bug report:
http://bugs.python.org/issue20246

Relevant CVE links:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1912
http://www.cvedetails.com/cve/CVE-2014-1912/

Thanks in advance.


Reproducible: Always
Comment 1 Samuel Damashek (RETIRED) gentoo-dev 2014-03-03 19:03:33 UTC 

*** This bug has been marked as a duplicate of bug 500518 ***
Comment 2 Daniel Bradshaw 2014-03-03 19:20:31 UTC 
Apologies, I some how missed that bug when I did a search for existing bugs.