From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MSb2j-0000rs-5T for garchives@archives.gentoo.org; Sun, 19 Jul 2009 18:23:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 36059E03AA; Sun, 19 Jul 2009 18:19:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 43E2FE0350 for ; Sun, 19 Jul 2009 18:14:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id ED6FB66C67 for ; Sun, 19 Jul 2009 18:14:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.533 X-Spam-Level: X-Spam-Status: No, score=-2.533 required=5.5 tests=[AWL=0.066, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiaQpmczfsDh for ; Sun, 19 Jul 2009 18:13:55 +0000 (UTC) Received: from mail.goodpoint.de (tori.goodpoint.de [85.10.203.41]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id B1FB2641D7 for ; Sun, 19 Jul 2009 18:13:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rbu) by mail.goodpoint.de (Postfix) with ESMTP id EBB8B1082B1; Sun, 19 Jul 2009 20:13:52 +0200 (CEST) From: Robert Buchholz To: gentoo-announce@lists.gentoo.org Subject: [gentoo-announce] [ GLSA 200907-16 ] Python: Integer overflows Date: Sun, 19 Jul 2009 20:13:52 +0200 User-Agent: KMail/1.9.10 Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart104013017.UM3lRh5gfI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200907192013.55048.rbu@gentoo.org> X-Archives-Salt: 4221b219-4014-463b-9d67-7b92e432ca75 X-Archives-Hash: 4c5a1bac9a23dc7d410b09a2aece4b3e --nextPart104013017.UM3lRh5gfI Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200907-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Integer overflows Date: July 19, 2009 Bugs: #246991 ID: 200907-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple integer overflows in Python have an unspecified impact. Background ========== Python is an interpreted, interactive, object-oriented programming language. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/python < 2.5.4-r2 >= 2.5.4-r2 *>= 2.4.6 Description =========== Chris Evans reported multiple integer overflows in the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. Impact ====== A remote attacker could exploit these vulnerabilities in Python applications or daemons that pass user-controlled input to vulnerable functions. The security impact is currently unknown but may include the execution of arbitrary code or a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All Python 2.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.4-r2" All Python 2.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.6" References ========== [ 1 ] CVE-2008-5031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200907-16.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --nextPart104013017.UM3lRh5gfI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iQIcBAABCAAGBQJKY2JiAAoJECaaHo/OfoM5U8cP/1G5qyFNtPsfSGvLmchWKyFM uuOO765Bb8NSSLUWSmzDnsRqQnK+rlGDLqf7HUVNpDKXw8hjNEGDRi+52uRDZxR4 uJsLEHtfGhf5OoakmTqEuLnxqAWsgQ6eStKsIMi0H03Q/O7AdgsRr04Rwit2sPfT VC3RJtCkzjLzcAMNyCDidQLQMsT/K3geOzJYv5zlozlwYKySYXx2LHthXrD1bcYM ss6JPuxMrK6K8mcFCm3Y0i/rvOwA6zMy8mokCx9f3ceBiLf9fjKfQQVjLr7O0Og/ WUOqbie7A9SMS822q7teL+9bE8Ge0sJ+YXgis2PQFy94iS1kYZYlyFQtWOVN6Wpx 7gD/c/j3Zl0phIlL+GU+El7NsDu47FOj3Z8aHVxJgfnkP6Gcr3/widTVWCoEDHxK faWG6w+M4tFJROEhGaWnEgiMNJYuGa4G71mrZ7qkO+nsPWTkqZzD8xlc4Ia5hAG7 6m7wpp19+d4YQYKjhhL6VclKKyatMpQf8AFlBDbv5RDrY104y5jtujAraHz10jeq RDU6mvOi0/XgDdBbHsNDQKQGvR9dOL2xwUAUEz2v2Rlhx1shviMCbBsIdvGAn4Up xqONsnAUYQGffSqwscacVH/FwXXo0MDCpHSb72mXm2AbD//6hacAJLi4QWX+t8MU hhDM8DsTaNq8AauxQ3+Y =tLv0 -----END PGP SIGNATURE----- --nextPart104013017.UM3lRh5gfI--