According to SecurityFocus: Python's imageop module is prone to multiple integer-overflow vulnerabilities. These issues are due to a failure of the module to properly bounds-check user-supplied input to ensure that integer operations do not overflow. Successfully exploiting these issues require the ability to control the arguments to imageop functions. The ability for remote attackers to do this depends on the nature of applications that utilize the vulnerable functions. Attackers would likely submit invalid or specially-crafted images to applications that perform imageop operations on the data. Successfully exploiting these issues may allow attacker-supplied machine code to execute in the context of affected applications, facilitating the remote compromise of computers. The issue was discovered by Slythers Bro. I could reproduce a crash on x86. This is not an issue on amd64, as imageop is not installed there.
Setting whiteboard and pulling in maintainers for advice. As far as I can see, all pythons in the tree are vulnerable for this, at least on 32bit installs.
CVE assigned CVE-2007-4965 to this issue. The description there only confirms an attacker could "possibly obtain sensitive information" and "unspecified other vectors", but no explicit code execution. python, did you hear anything about this in upstream channels yet?
Upstream has a bug about this[1] and the last patch attached fixes the issue but the patch is not perfect, see guido's comment[2]. [1]: http://bugs.python.org/issue1179 [2]: http://bugs.python.org/msg56052
Hawking is this one ready for ebuild?
As Robert mentioned, all python versions in the tree are affected by this. I've committed three revbumps today, fixing the bug for all python versions that we support. python-2.3.6-r3, python-2.4.4-r6 and python-2.5.1-r3 are fixed versions. To check whether the bug is fixed, the file poc.py attached to the bug I've mentioned in my previous comment can be used. The expected output is: """ 4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545 Traceback (most recent call last): File "poc.py", line 12, in ? dtc = imageop.tovideo(sexshit,1,4461,-2147002257) imageop.error: String has incorrect length """ P.S: the variable names in the mentioned file are kinda weird.. well.. :-)
Thx Hawking Arhces please test and mark stable. Target keywords are: python-2.3.6-r3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86" python-2.4.4-r6.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
x86 stable
On amd64 Everything is working.Python works flawlessly still(emerge, and various other things) Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r8 x86_64) ================================================================= System uname: 2.6.22-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+ Timestamp of tree: Thu, 25 Oct 2007 01:47:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/distfiles" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/overlay" SYNC="rsync://kv80/gentoo-portage" USE="X acl acpi aim alsa amd64 arts berkdb bitmap-fonts branding cairo cli cracklib crypt cups dbus dri dvd dvdread emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv imap ipv6 isdnlog jpeg kde kerberos mad midi mikmod mmx mp3 mpeg mqsli mudflap mysql ncurses nls nptl nptlonly nvidia ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support quicktime readline reflection sdl session sockets spell spl sqlite3 sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vim vorbis xcomposite xine xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ppc64 stable
amd64 done.
this bug is not done
alpha/ia64/sparc stable
Stable for HPPA.
ppc stable, ready for glsa
(In reply to comment #14) > ready for glsa Thanks, filed.
GLSA 200711-07