fmII
Sat, Aug 30th home | browse | articles | contact | chat | submit | faq | newsletter | about | stats | scoop 03:26 UTC
in
Section
login «
register «
recover password «
[Article] add comment [Article]

 Debian: New python2.4 packages fix several vulnerabilities
 by Patrick Lenz, in Security - Sun, Apr 20th 2008 15:31 UTC

Several vulnerabilities have been discovered in the interpreter for the Python language. Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure. It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code. Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code. Fixed packages are available from security.debian.org.

Links: security.debian.org 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1551-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
April 19, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : python2.4
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887

Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2007-2052

   Piotr Engelking discovered that the strxfrm() function of the locale
   module miscalculates the length of an internal buffer, which may
   result in a minor information disclosure.

CVE-2007-4965

   It was discovered that several integer overflows in the imageop
   module may lead to the execution of arbitrary code, if a user is
   tricked into processing malformed images. This issue is also
   tracked as CVE-2008-1679 due to an initially incomplete patch.

CVE-2008-1721

   Justin Ferguson discovered that a buffer overflow in the zlib
   module may lead to the execution of arbitrary code.

CVE-2008-1887

   Justin Ferguson discovered that insufficient input validation in
   PyString_FromStringAndSize() may lead to the execution of arbitrary
   code.

For the stable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.5-2.

We recommend that you upgrade your python2.4 packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.diff.gz
   Size/MD5 checksum:   195434 8b86b3dc4c5a86a9ad8682fee56f30ca
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
   Size/MD5 checksum:  9508940 f74ef9de91918f8927e75e8c3024263a
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.dsc
   Size/MD5 checksum:     1201 585773fd24634e05bb56b8cc85215c65

Architecture independent packages:

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch1_all.deb
   Size/MD5 checksum:   589642 63092c4cd1ea78c0993345be25a162b8
 http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch1_all.deb
   Size/MD5 checksum:    60864 21664a3f029087144046b6c175e88736

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_alpha.deb
   Size/MD5 checksum:  2968890 60a29f058a96e21d278a738fbb8067bf
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_alpha.deb
   Size/MD5 checksum:  1848176 ddb7c47970f277baa00e6c080e4530bd
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_alpha.deb
   Size/MD5 checksum:  5226532 5aa6daa859acdfdfcb7445586f4a0eb6
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_alpha.deb
   Size/MD5 checksum:   963606 38c08ee31ae6189631e503ad3d76fa87

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_amd64.deb
   Size/MD5 checksum:  2967058 6f06a90e94a6068b126413111185aff5
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_amd64.deb
   Size/MD5 checksum:  1635936 d5f98666609c652224b5552f5bb6b7a9
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_amd64.deb
   Size/MD5 checksum:   966196 7436b29b52acd99872d79b595f489ace
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_amd64.deb
   Size/MD5 checksum:  5587046 82444f4d11055f259d0899a0f8574b37

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_arm.deb
   Size/MD5 checksum:  2881272 408ac2b8cd6180975109364b26ae1c95
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_arm.deb
   Size/MD5 checksum:   901442 88d59caa6744da5c62a802124087d09c
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_arm.deb
   Size/MD5 checksum:  1500512 3113ad3590f5969703ce426a23ca67dd
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_arm.deb
   Size/MD5 checksum:  5351974 4f77de8e3dd9c12aa1e06a57cee82dac

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_hppa.deb
   Size/MD5 checksum:  3073066 1b4498c26a825c27c6d9765ed8a2e33e
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_hppa.deb
   Size/MD5 checksum:  5521834 68a5524fdb007cacc29a38865a43781d
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_hppa.deb
   Size/MD5 checksum:  1798220 6c9ce4754c024fbd1674a63c5ba0f06a
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_hppa.deb
   Size/MD5 checksum:  1017646 b8dd6490a43da08aa36c43712c360ff8

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_i386.deb
   Size/MD5 checksum:  2849512 2598cb802b7f5e1aac6404b801a0a7f0
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_i386.deb
   Size/MD5 checksum:  1508782 b8ffe50ecf5dfe173765dc5b263b7737
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_i386.deb
   Size/MD5 checksum:  5176966 f6892dc5e598f1811bfc32ea81a863d6
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_i386.deb
   Size/MD5 checksum:   900670 7956a1cf96b4b59de2d9e4972e04fff2

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_ia64.deb
   Size/MD5 checksum:  3371938 88e170459b0762e1db775753f6d69bb5
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_ia64.deb
   Size/MD5 checksum:  2269496 2c1ef318f92b9d4b1c202ad77c8c4462
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_ia64.deb
   Size/MD5 checksum:  1289496 d6fba2d2ea64736cf614b0b3b1ced9bf
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_ia64.deb
   Size/MD5 checksum:  6059106 e1008e68d3d775590b2a29bd7bec7b6c

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mips.deb
   Size/MD5 checksum:  2906992 e6e43c336e1095e3fe7f5985e500bf55
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mips.deb
   Size/MD5 checksum:  1725610 a9e2b6b11b1d9185885a9f99ed2d03b8
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mips.deb
   Size/MD5 checksum:  5646190 5c420d1aa984c190b121c8494c6fca5a
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mips.deb
   Size/MD5 checksum:   956712 4949e953435f72cf9d06bb8684170175

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mipsel.deb
   Size/MD5 checksum:  1717120 30986065ecf6810f46294c8ca196b538
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mipsel.deb
   Size/MD5 checksum:   939320 89571b10c2635774f65921083344a911
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mipsel.deb
   Size/MD5 checksum:  5507492 a06d9728ef16072ee50b3a1fcf7d08a8
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mipsel.deb
   Size/MD5 checksum:  2863620 90b6a4b2c498acb4a46e205d36cf8ec9

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_powerpc.deb
   Size/MD5 checksum:  1639780 4b7c83795b6d07c3a4050d5db977c577
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_powerpc.deb
   Size/MD5 checksum:  5778968 7e97b8f62daf0f91e48bf6af20552b51
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_powerpc.deb
   Size/MD5 checksum:  2956174 8e55e492ee8aa6e4787e77b161a245e5
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_powerpc.deb
   Size/MD5 checksum:   978078 9212e583942704f71a07478baa4d6446

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_s390.deb
   Size/MD5 checksum:   973904 3cc580a21934a7f5fac203235386e250
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_s390.deb
   Size/MD5 checksum:  2976776 efb7a2dc81b69a45ead47986d3b8fce5
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_s390.deb
   Size/MD5 checksum:  1646932 146ee8341c514308b15ca151753b3ca8
 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_s390.deb
   Size/MD5 checksum:  5667818 9b4543d9a0e5f51e8d9b790f6c3b43c8


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICiFUXm3vHE4uyloRAngQAKCJJPkv3wrtkymZDNanh9AQoGeRxACgqrLd
GsESR3yK0RopGIWWi6Ed91I=
=rgLC
-----END PGP SIGNATURE-----

[add comment]

 Referenced projects

Python - A high-level scripting language.



© Copyright 2008 SourceForge, Inc., All Rights Reserved.
About freshmeat.net •  Privacy Statement •  Terms of Use •  Trademark Guidelines •  Advertise •  Contact Us • 
ThinkGeek •  Slashdot  •  Linux.com •  SourceForge.net  •  Jobs