432640 – (CVE-2011-4944) <dev-lang/python-{2.6.6-r1,2.7.3-r1,3.2.3}: DoS or information disclosure (CVE-2011-4944,CVE-2012-2135)

Bug 432640 (CVE-2011-4944) - <dev-lang/python-{2.6.6-r1,2.7.3-r1,3.2.3}: DoS or information disclosure (CVE-2011-4944,CVE-2012-2135)

Summary: <dev-lang/python-{2.6.6-r1,2.7.3-r1,3.2.3}: DoS or information disclosure (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2011-4944

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-08-24 22:43 UTC by GLSAMaker/CVETool Bot
Modified:	2014-01-06 22:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2012-08-24 22:43:02 UTC

CVE-2012-2135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2135):
  The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end
  variable after calling the unicode_decode_call_errorhandler function, which
  allows remote attackers to obtain sensitive information (process memory) or
  cause a denial of service (memory corruption and crash) via unspecified
  vectors.


http://bugs.python.org/issue14579

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-09-10 22:02:42 UTC

CVE-2011-4944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4944):
  Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions
  before changing them after data has been written, which introduces a race
  condition that allows local users to obtain a username and password by
  reading this file.

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 17:16:19 UTC

2.6: affects <=2.6.5. Nothing vulnerable in tree.
2.7: affects <=2.7.2. Nothing vulnerable in tree.
3.0: irrelevant.
3.1: affects 3.1.5, but that's masked for removal.
3.2: affects =3.2. Nothing vulnerable.
3.3: unaffected.

@security team: worth a GLSA at this point?

Comment 3 Agostino Sarubbo gentoo-dev

2013-09-05 15:46:54 UTC

(In reply to Chris Reffett from comment #2)
> 2.6: affects <=2.6.5. Nothing vulnerable in tree.
> 2.7: affects <=2.7.2. Nothing vulnerable in tree.
> 3.0: irrelevant.
> 3.1: affects 3.1.5, but that's masked for removal.
> 3.2: affects =3.2. Nothing vulnerable.
> 3.3: unaffected.
> 
> @security team: worth a GLSA at this point?

As you said there is nothing to remove. The p.mask for 3.1.5 is enough.

Comment 4 Sergey Popov (RETIRED) gentoo-dev

2014-01-06 22:04:41 UTC

Covered by GLSA 201401-04

Closing as fixed