Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 230640 (CVE-2008-2315) - dev-lang/python <2.4.4-r14 integer overflows (CVE-2008-2315, CVE-2008-2316)
Summary: dev-lang/python <2.4.4-r14 integer overflows (CVE-2008-2315, CVE-2008-2316)
Status: RESOLVED FIXED
Alias: CVE-2008-2315
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
: 230589 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-07-03 14:44 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-07-31 23:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2008-2315 patch 2.5 (CVE-2008-2315-release25-maint.diff,17.81 KB, patch)
2008-07-03 14:45 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
CVE-2008-2315 patch trunk (CVE-2008-2315-trunk.diff,18.60 KB, patch)
2008-07-03 14:45 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
CVE-2008-2316 patch 2.5 (CVE-2008-2316-release25-maint.diff,4.81 KB, patch)
2008-07-03 14:45 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
CVE-2008-2316 patch trunk (CVE-2008-2316-trunk.diff,4.81 KB, patch)
2008-07-03 14:46 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
misc fixes 2.5 (MISC-FIXES-release25-maint.diff,1.62 KB, patch)
2008-07-03 14:46 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
misc fixes trunk (MISC-FIXES-trunk.diff,1.62 KB, patch)
2008-07-03 14:46 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
CVE-2008-2315-release25-maint.diff (CVE-2008-2315-release25-maint.diff,17.84 KB, patch)
2008-07-17 18:18 UTC, Ali Polatel (RETIRED)
no flags Details | Diff
python-2.5.2-r6.ebuild (python-2.5.2-r6.ebuild,10.36 KB, text/plain)
2008-07-17 18:20 UTC, Ali Polatel (RETIRED)
no flags Details
python-2.4.4-CVE-2008-2315.patch (python-2.4.4-CVE-2008-2315.patch,8.74 KB, patch)
2008-07-28 20:23 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
python-2.4.4-r7-overlay.tar.gz (python-2.4.4-r7-overlay.tar.gz,27.08 KB, application/octet-stream)
2008-07-28 21:00 UTC, Robert Buchholz (RETIRED)
no flags Details
python-overlay.tar.gz (python-overlay.tar.gz,40.46 KB, application/octet-stream)
2008-07-29 12:57 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:44:19 UTC
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

hawking, feel free to add other python maintainers if needed... just keep this confidential

Could someone please check if 2.4 is affected by these issues too.

David Remahl of Apple Product Security reports the following:

[...]

We have identified a number of integer overflow security issues in the core python library (dealing with some of the basic types). I also found an integer overflow issue in the strop module and one in hashlib (leading to unreliable cryptographic digest results). Additionally, a number of issues that are expected to be resolved by <http://bugs.python.org/issue2620> were identified in this audit.

These issues are detailed in the files attached below. Patches and test cases are included. Note that some issues only affect certain architectures, e.g. 32/64 bit or 2/4 byte unicode. 2.5.2 and 2.6b1 are vulnerable to varying extents (see patches for details). 3.0a has not been investigated, nor have 2.4 and earlier releases. Some of the test cases need to be run with regrtest.py -M <large value>. A new test decorator (precisionbigmemtest) was created because of the need to have bigmem tests that take a specific size value, not just the largest size that can be accommodated.

The following CVE names have been assigned by Apple:

CVE-2008-2315: Multiple integer overflows in python core (stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule)
CVE-2008-2316: Partial hashlib hashing of data exceeding 4GB (_hashopenssl)

Also included in this message are patches for some non-security bugs that were encountered during the audit. They have no test cases and have received little testing. Caveat emptor. 
[...]
Note that one of the issues is in the same code snippet that was touched in PSF-2006-001 (CVE-2006-4980).

The Python Security Response Team was notified of these issues recently and they have acknowledged that they received the message.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:45:11 UTC
Created attachment 159416 [details, diff]
CVE-2008-2315 patch 2.5
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:45:30 UTC
Created attachment 159418 [details, diff]
CVE-2008-2315 patch trunk
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:45:53 UTC
Created attachment 159420 [details, diff]
CVE-2008-2316 patch 2.5
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:46:13 UTC
Created attachment 159422 [details, diff]
CVE-2008-2316 patch trunk
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:46:36 UTC
Created attachment 159424 [details, diff]
misc fixes 2.5
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-03 14:46:52 UTC
Created attachment 159426 [details, diff]
misc fixes trunk
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-07-03 16:12:57 UTC
*** Bug 230589 has been marked as a duplicate of this bug. ***
Comment 8 Ali Polatel (RETIRED) gentoo-dev 2008-07-13 14:35:48 UTC
An ebuild will be attached as soon as I get back home. I'm away for guadec right now, hopefully I'll be back on tuesday or wednesday. That's like 16th of this month I guess.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-13 14:52:36 UTC
thanks Ali

Should we CC another python maintainer to speed things up?
Comment 10 Ali Polatel (RETIRED) gentoo-dev 2008-07-17 18:18:58 UTC
Created attachment 160652 [details, diff]
CVE-2008-2315-release25-maint.diff

Fixes an indentation error in Lib/tests/test_seq.py
Please have a look and make sure that it does the right thing.
Comment 11 Ali Polatel (RETIRED) gentoo-dev 2008-07-17 18:20:22 UTC
Created attachment 160655 [details]
python-2.5.2-r6.ebuild

Ebuild that applies the attached patches.
I'll move the patches from files/ to our patchset after disclosure.
Comment 12 Ali Polatel (RETIRED) gentoo-dev 2008-07-17 18:21:02 UTC
(In reply to comment #9)
> thanks Ali
> 
> Should we CC another python maintainer to speed things up?
> 

Next time, please CC python@gentoo.org ;)
Comment 13 Ali Polatel (RETIRED) gentoo-dev 2008-07-26 23:47:07 UTC
(In reply to comment #12)
> Next time, please CC python@gentoo.org ;)
> 

^ That was fail :-]. CC'ing dev-zero because I'll be on vacation till 15th August.
I'm not sure if he's available though.

@dev-zero: Please CC pythonhead if you don't have time
@security: ^ Please do so if he doesn't respond :)
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-07-28 20:23:19 UTC
Created attachment 161580 [details, diff]
python-2.4.4-CVE-2008-2315.patch
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-07-28 21:00:43 UTC
Created attachment 161588 [details]
python-2.4.4-r7-overlay.tar.gz

I took the liberty of of putting together the patches from bug 232137 and this bug, apply them all to our current stable and wrap it up in an overlay.

The python team will probably put these patches into a new gentoo patch tarball.
I understood that we are not going to backport these patches to 2.3 anymore, ending its life in the tree?
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-07-28 21:01:45 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : tsunam
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2008-07-29 07:07:14 UTC
looks good on ppc64
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2008-07-29 11:49:07 UTC
Shouldn't this be -r14? -r13 is the latest stable....
Comment 19 Ferris McCormick (RETIRED) gentoo-dev 2008-07-29 12:10:45 UTC
Good on sparc for python-2.4.4-r7.  But current stable is -2.4.4-r13 on sparc.  So I guess I echo Comment #18.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-07-29 12:57:03 UTC
Created attachment 161617 [details]
python-overlay.tar.gz

(In reply to comment #18)
> Shouldn't this be -r14? -r13 is the latest stable....

Sorry, my bad. I'm attaching a new tarball that also includes
=python/python-2.4.4-r14
=python/python-2.5.2-r6

for stable.
Comment 21 Ferris McCormick (RETIRED) gentoo-dev 2008-07-29 14:16:26 UTC
python-2.4.4-r14 and python-2.5.2-r6 are both good on sparc.
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2008-07-29 14:24:16 UTC
alpha/ia64/x86 is good as well
Comment 23 Jeroen Roovers gentoo-dev 2008-07-29 18:11:34 UTC
Both are OK for HPPA.
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2008-07-29 18:14:30 UTC
python-2.4.4-r14 and python-2.5.2-r6 are both good on ppc64
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 15:00:15 UTC
Embargo deadline is 1700 UTC tomorrow. Python team, who will be around to commit the new version?
Comment 26 Ali Polatel (RETIRED) gentoo-dev 2008-07-30 15:19:29 UTC
(In reply to comment #25)
> Embargo deadline is 1700 UTC tomorrow. Python team, who will be around to
> commit the new version?
> 

I have ssh access to my home box so I can do it if noone else does. I'll try to be around at that time tomorrow.
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-30 16:22:38 UTC
booth ok for ppc
Comment 28 Tiziano Müller gentoo-dev 2008-07-31 13:56:21 UTC
Added patches to our patchsets.

Rev.bumped to python-2.4.4-r14 (using python-gentoo-patches-2.4.4-r11.tar.bz2) and python-2.5.2-r6 (using python-gentoo-patches-2.5.2-r6.tar.bz2).

Tests passed for the rev.bumped packages on my amd64. Added amd64 keyword as well.

Committed with the following keywords:
2.4: alpha amd64 hppa ia64 ppc ppc64 sparc x86
2.5: alpha amd64 hppa ia64 ppc ppc64 x86
Comment 29 Ferris McCormick (RETIRED) gentoo-dev 2008-07-31 14:24:50 UTC
(In reply to comment #28)
> Added patches to our patchsets.
> 
> Rev.bumped to python-2.4.4-r14 (using python-gentoo-patches-2.4.4-r11.tar.bz2)
> and python-2.5.2-r6 (using python-gentoo-patches-2.5.2-r6.tar.bz2).
> 
> Tests passed for the rev.bumped packages on my amd64. Added amd64 keyword as
> well.
> 
> Committed with the following keywords:
> 2.4: alpha amd64 hppa ia64 ppc ppc64 sparc x86
> 2.5: alpha amd64 hppa ia64 ppc ppc64 x86
> 

Also sparc for 2.5
Comment 30 Robert Buchholz (RETIRED) gentoo-dev 2008-07-31 23:31:53 UTC
Arches, please test and mark stable:
=dev-lang/python-2.4.4-r14
=dev-lang/python-2.5.2-r6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Missing keywords: "arm m68k s390 sh"

Comment 31 Robert Buchholz (RETIRED) gentoo-dev 2008-07-31 23:34:37 UTC
GLSA 200807-16