Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 232137 (CVE-2008-3142) - dev-lang/python Multiple vulnerabilities (CVE-2008-{3142,3143,3144})
Summary: dev-lang/python Multiple vulnerabilities (CVE-2008-{3142,3143,3144})
Alias: CVE-2008-3142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2008-07-18 01:46 UTC by Robert Buchholz (RETIRED)
Modified: 2008-07-31 23:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

python-2.4.4-CVE-2008-3144.patch (python-2.4.4-CVE-2008-3144.patch,1.82 KB, patch)
2008-07-18 02:26 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
python-2.4.4-CVE-2008-3142.patch (python-2.4.4-CVE-2008-3142.patch,7.49 KB, patch)
2008-07-28 20:22 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
python-2.4.4-CVE-2008-3143.patch (python-2.4.4-CVE-2008-3143.patch,28.64 KB, patch)
2008-07-28 20:22 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-18 01:46:19 UTC
Three issues in Python have been reported:

Justin Ferguson: Multiple buffer overflows in unicode processing

The unicode_resize() function acts essentially as a wrapper to
realloc(), it accomplishes this via the PyMem_RESIZE() macro which
factors the size with the size of the type, in this case it multiplies
by two as Py_UNICODE is typedef'd to a wchar_t. When resizing large
strings, this results in an incorrect allocation that in turn leads to
buffer overflow.

Proposed patch:

Only affects 32 bit systems.

"Google integer overflows"

Added checks for integer overflows, contributed by Google. Some are
only available if asserts are left in the code, in cases where they
can't be triggered from Python code.

Fixes are in 2.5.2.

Justin Ferguson PyOS integer underflow/overflow

Fix potential integer underflow and overflow conditions in
the PyOS_vsnprintf C API function.

This is a backport of r63728 and r63734 from trunk.

Fix issue2589: there was a potential integer overflow leading to
memory corruption on esoteric platforms and incorrect behavior on
normal platforms.

Fix issue2588: Do not execute str[size-1] = '\0' when a 0 size is
passed in.  (The assert won't prevent this in non-debug builds).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-18 02:26:26 UTC
Created attachment 160679 [details, diff]
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-07-28 20:22:11 UTC
Created attachment 161577 [details, diff]
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-07-28 20:22:25 UTC
Created attachment 161579 [details, diff]
Comment 4 Tiziano Müller (RETIRED) gentoo-dev 2008-07-31 13:56:46 UTC
Fixed together with the patches from bug #230640
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-07-31 23:34:27 UTC
GLSA 200807-16