503348 – Critical remote execution vulnerability in python

Bug 503348 - Critical remote execution vulnerability in python

Summary: Critical remote execution vulnerability in python

Status:	RESOLVED DUPLICATE of bug 500518

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Highest critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-03 19:00 UTC by Daniel Bradshaw
Modified:	2014-03-03 19:20 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bradshaw 2014-03-03 19:00:11 UTC

There is a buffer overflow in socket.recvfrom_into that permits arbitrary remote code execution.  There is also a known exploit published for this issue.
Given how trivial it is to exploit this from the network, as a completely unauthenticated party, the flaw is fairly critical.

Affected versions are reported as:
  Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1
So that's everything currently in the tree.

Could we have the appropriate package bumps pushed ASAP?

Upstream bug report:
http://bugs.python.org/issue20246

Relevant CVE links:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1912
http://www.cvedetails.com/cve/CVE-2014-1912/

Thanks in advance.


Reproducible: Always

Comment 1 Samuel Damashek (RETIRED) gentoo-dev

2014-03-03 19:03:33 UTC


*** This bug has been marked as a duplicate of bug 500518 ***

Comment 2 Daniel Bradshaw 2014-03-03 19:20:31 UTC

Apologies, I some how missed that bug when I did a search for existing bugs.