216673 – (CVE-2008-1679) dev-lang/python imageop some more integer-overflows (CVE-2008-1679)

Bug 216673 (CVE-2008-1679) - dev-lang/python imageop some more integer-overflows (CVE-2008-1679)

Summary: dev-lang/python imageop some more integer-overflows (CVE-2008-1679)

Status:	RESOLVED FIXED

Alias:	CVE-2008-1679

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://bugs.python.org/issue1179
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:	217221 CVE-2008-4864
	Show dependency tree

Reported:	2008-04-07 09:29 UTC by Robert Buchholz (RETIRED)
Modified:	2020-04-08 21:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Build log for 2.4.4-r9 on alpha with failing test_pow (dev-lang:python-2.4.4-r9:20080524-150755.log,99.49 KB, text/plain) 2008-05-24 15:25 UTC, Tobias Klausmann (RETIRED)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-04-07 09:29:10 UTC

David Remahl (chmod007) writes on the upstream report:
The following test cases still cause bus errors with the patch applied:

import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768)

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-04-08 09:36:34 UTC

There is a patch on the python.org bug.

Comment 2 Ali Polatel (RETIRED) gentoo-dev

2008-04-21 21:16:03 UTC

(In reply to comment #1)
> There is a patch on the python.org bug.
> 

The attached patch doesn't solve the problem here.. I'll try to come up with a better fix tomorrow as we wait for an upstream fix :)

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-04-22 07:32:52 UTC

You mean the POC still crashes Python even with the patch included? I did not try to reproduce that myself.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-05-06 15:19:36 UTC

ping

Comment 5 Ali Polatel (RETIRED) gentoo-dev

2008-05-14 08:16:50 UTC

(In reply to comment #3)
> You mean the POC still crashes Python even with the patch included? I did not
> try to reproduce that myself.
> 

Yes it does. imageop is removed in 3.0¹ and it's not built on 64 bit systems
because it's not Py_ssize_t safe.
I have no interest in fixing this and nothing depends on this module on the
tree. I say let's remove it or add a big fat warning to the ebuild not to use
it.

¹:http://bugs.python.org/msg66407

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-05-16 10:34:27 UTC

Please remove the imageop feature then, instead of printing a one-time warning.

Comment 7 Ali Polatel (RETIRED) gentoo-dev

2008-05-21 08:05:03 UTC

python-2.3.6-r6, python-2.4.4-r13 and python-2.5.2-r4 don't build imageop on
32 bit as well.

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-05-22 18:20:52 UTC

Arches, please test and mark stable:
=dev-lang/python-2.3.6-r6
=dev-lang/python-2.4.4-r13

Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

@Ali:
This might obsolete bug 211281, but as usual we will close the security bug regardless whether arm&co are stabled.

Comment 9 Markus Meier gentoo-dev

2008-05-22 21:20:08 UTC

dev-lang/python-2.3.6-r6  USE="berkdb cxx gdbm ipv6 ncurses readline ssl threads -bootstrap -build -doc -examples -tk -ucs2"

minor stuff: 
>>> Source compiled.
mv: cannot stat `/var/tmp/portage/dev-lang/python-2.3.6-r6/work/Python-2.3.6/Lib/test/test_subprocess.py': No such file or directory
mv: cannot stat `/var/tmp/portage/dev-lang/python-2.3.6-r6/work/Python-2.3.6/Lib/test/test_tcl.py': No such file or directory

but fails this test on amd64/x86 (regression):
test_bsddb
test test_bsddb failed -- errors occurred; run in verbose mode for details
test_bsddb185
test_bsddb185 skipped -- No module named bsddb185
test_bsddb3
test_bsddb3 skipped -- Use of the `bsddb' resource not enabled
...
205 tests OK.
1 test failed:
    test_bsddb
41 tests skipped:
    test_aepack test_al test_asynchat test_audioop test_bsddb185
    test_bsddb3 test_cd test_cl test_curses test_dl test_email_codecs
    test_fork1 test_gl test_imageop test_imgfile test_imp
    test_linuxaudiodev test_logging test_macfs test_macostools
    test_nis test_normalization test_ossaudiodev test_pep277
    test_plistlib test_queue test_rgbimg test_scriptpackages
    test_socket test_socket_ssl test_socketserver test_sunaudiodev
    test_thread test_threaded_import test_threadedtempfile
    test_threading test_timeout test_unicode_file test_urllibnet
    test_winreg test_winsound
13 skips unexpected on linux2:
    test_threadedtempfile test_socket test_threaded_import test_fork1
    test_rgbimg test_threading test_imp test_thread test_queue
    test_asynchat test_audioop test_imageop test_logging
make: *** [test] Error 1
 * 
 * ERROR: dev-lang/python-2.3.6-r6 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 3452:  Called die
 * The specific snippet of code:
 *       make test || die "make test failed";
 *  The die message:
 *   make test failed


dev-lang/python-2.4.4-r13 looks good so far.

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2008-05-23 13:15:17 UTC

Same error on python-2.3 on alpha/ia64/sparc

Comment 11 Tobias Klausmann (RETIRED) gentoo-dev

2008-05-23 18:29:44 UTC

Same test fails for alpha.

Comment 12 Tobias Klausmann (RETIRED) gentoo-dev

2008-05-23 19:12:50 UTC

I see the bsddb test failure on dev-lang/python-2.3.6-r6 but not on 2.4.4-r13.

In addition I see failure of test_pow (pow(-1, 1.23e167) throws an excpetion), but that is no regression from current stable (2.4.4-r9).

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2008-05-24 06:24:54 UTC

Stable for HPPA.

Comment 14 Tobias Klausmann (RETIRED) gentoo-dev

2008-05-24 15:25:38 UTC

Created attachment 154145 [details]
Build log for 2.4.4-r9 on alpha with failing test_pow

A build log, as requested by hawking on IRC.

Built with:
USE="berkdb -gdbm" FEATURES=test emerge -av --oneshot =dev-lang/python-2.4.4-r9

Comment 15 Ali Polatel (RETIRED) gentoo-dev

2008-05-25 13:06:26 UTC

--- ChangeLog   2008-05-25 16:01:31.455794900 +0300
+++ ChangeLog.new       2008-05-25 16:02:35.904148669 +0300
@@ -2,6 +2,12 @@
+  25 May 2008; Ali Polatel <hawking@gentoo.org>
+  +files/python-2.3.6-disable-failing-tests.patch, python-2.3.6-r6.ebuild,
+  python-2.4.4-r13.ebuild, python-2.5.2-r4.ebuild:
+  Added patch to disable failing test_bsddb test for 2.3. Disable test_pow
+  on alpha until upstream comes up with a fix.
+

Appearently pow() fails for all version of python on alpha and upstream is aware¹ of that.
Disabled the test until upstream comes up with a fix.

¹:http://bugs.python.org/issue756093

Comment 16 Tobias Klausmann (RETIRED) gentoo-dev

2008-05-25 17:46:55 UTC

both stable on alpha

Comment 17 Raúl Porcel (RETIRED) gentoo-dev

2008-05-26 09:12:33 UTC

ia64/sparc stable

Comment 18 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-26 16:21:39 UTC

(In reply to comment #9)
> dev-lang/python-2.3.6-r6  USE="berkdb cxx gdbm ipv6 ncurses readline ssl
> threads -bootstrap -build -doc -examples -tk -ucs2"
> but fails this test on amd64/x86 (regression):
> test_bsddb
> test test_bsddb failed -- errors occurred; run in verbose mode for details

 No problems here on x86.

Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev

2008-05-26 19:19:14 UTC

ppc stable

Comment 20 Markus Rothe (RETIRED) gentoo-dev

2008-05-27 05:27:34 UTC

ppc64 stable

Comment 21 Markus Meier gentoo-dev

2008-05-28 19:21:34 UTC

amd64/x86 stable

Comment 22 Peter Volkov (RETIRED) gentoo-dev

2008-05-30 07:38:39 UTC

Fixed in release snapshot.

Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-06-01 18:12:36 UTC

glsa request filed.

Comment 24 Tobias Heinlein (RETIRED) gentoo-dev

2008-07-03 14:19:13 UTC

GLSA 200807-01