Summary: | <dev-lang/python-{2.7.10,3.4.4}: dumbdbm "eval()" Arbitrary Code Execution Vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.python.org/issue22885 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 585946 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-11-28 14:17:18 UTC
Is this bug being addressed by Bug #532232? From http://bugs.python.org/issue22885#msg236073: > New changeset 02865d22a98d by Serhiy Storchaka in branch '2.7': > Fixed arbitrary code execution vulnerability in the dumbdbm > https://hg.python.org/cpython/rev/02865d22a98d To answer Yury's question from comment #1, $ hg log -r "02865d22a98d :: and tag()" changeset: 95937:80ccce248ba2 branch: 2.7 tag: v2.7.10rc1 user: Benjamin Peterson <benjamin@python.org> date: Sun May 10 13:14:16 2015 -0400 summary: bump version to 2.7.10rc1 changeset: 96239:15c95b7d81dc branch: 2.7 tag: v2.7.10 parent: 96234:2a7b0e145945 user: Benjamin Peterson <benjamin@python.org> date: Sat May 23 11:02:14 2015 -0500 summary: python 2.7.10 final so it wasn't addressed by bug 532232. > New changeset 693bf15b4314 by Serhiy Storchaka in branch '3.4': > Fixed arbitrary code execution vulnerability in the dbm.dumb > https://hg.python.org/cpython/rev/693bf15b4314 $ hg log -r "693bf15b4314:: and tag()" [...] branch: 3.4 tag: v3.4.4rc1 user: Larry Hastings <larry@hastings.org> date: Sun Dec 06 05:53:35 2015 -0800 summary: Version bump for 3.4.4rc1. changeset: 99647:737efcadf5a6 branch: 3.4 tag: v3.4.4 user: Larry Hastings <larry@hastings.org> date: Sat Dec 19 19:31:10 2015 -0800 summary: Release bump for Python 3.4.4 final. V2.7 branch was fixed in Gentoo since https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/python/python-2.7.10.ebuild?view=log and =dev-lang/python-2.7.10-r1 is the current stable version. No vulnerable version left. v3.4 branch was fixed in Gentoo since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66faa8a8ce224eb34541e5fbbbaef87dc233032a however stabilization is currently in progress via bug 585946. This issue was resolved and addressed in GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18 by GLSA coordinator Thomas Deutschmann (whissi). |