Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 177804 - dev-lang/python "PyLocale_strxfrm()" Off-By-One Information Disclosure (CVE-2007-2052)
Summary: dev-lang/python "PyLocale_strxfrm()" Off-By-One Information Disclosure (CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25190/
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-09 14:40 UTC by Lars Hartmann
Modified: 2007-06-24 23:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-05-09 14:40:43 UTC
Description:
Piotr Engelking has reported a security issue in Python, which can be exploited by malicious people to disclose potentially sensitive information.

The security issue is caused due to an off-by-one error within the "PyLocale_strxfrm()" function in Modules/_localemodule.c, which can be exploited to disclose certain parts of the memory.

The security issue is reported in Python 2.4 and 2.5. Other versions may also be affected.

Solution:
Update to version 2.5.1.

Provided and/or discovered by:
Piotr Engelking
Original Advisory:
Python:
http://www.python.org/download/releases/2.5.1/NEWS.txt

Debian Bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416934

Reproducible: Always
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-09 15:24:53 UTC
python please advise and bump as necessary.
Comment 2 Bryan Østergaard (RETIRED) gentoo-dev 2007-05-11 14:00:08 UTC
(In reply to comment #1)
> python please advise and bump as necessary.
> 
Patched in 2.4.4-r4. 2.5 will still be masked a couple weeks but 2.5.1 is unaffected.
Comment 3 Lars Hartmann 2007-05-12 15:01:38 UTC
arches - please test
target keywords are alpha, amd64, arm, hppa, ia64, mips, ppc, ppc64, s390, sparc, x86
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-05-12 17:13:47 UTC
ia64 + x86 stable

Btw this needs python-updater stable also, kloeri said it's okay.
Comment 5 Lars Hartmann 2007-05-12 17:39:34 UTC
target ebuild is dev-lang/python-2.4.4-r4
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-05-13 10:16:57 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-14 05:09:05 UTC
CBUILD="hppa2.0-unknown-linux-gnu" appears not to equal
 CHOST="hppa2.0-unknown-linux-gnu" according to tc-is-cross-compiler, so FEATURES=test was skipped, sadly.

Stable for HPPA anyhow.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-14 14:08:05 UTC
sparc stable.
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2007-05-14 15:10:48 UTC
(In reply to comment #7)
> CBUILD="hppa2.0-unknown-linux-gnu" appears not to equal
>  CHOST="hppa2.0-unknown-linux-gnu" according to tc-is-cross-compiler, so
> FEATURES=test was skipped, sadly.
> 
> Stable for HPPA anyhow.
> 
The problem with skipping tests is fixed now.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2007-05-14 21:06:04 UTC
Alpha and Mips stable.
Comment 11 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-05-16 00:34:01 UTC
amd64 done.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-16 21:11:01 UTC
ppc stable
Comment 13 Lars Hartmann 2007-05-17 08:01:20 UTC
thanks for providing/testing guys
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-17 13:00:23 UTC
Calling a vote, according to the policy.

I vote "no" because of the very hard exploitation and very low impact.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-18 06:09:31 UTC
Voting NO and closing. Feel free to reopen if you disagree.