full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [ MDVSA-2009:003 ] python

[Full-disclosure] [ MDVSA-2009:003 ] python

From: <security_at_nospam>
Date: Sat Jan 10 2009 - 01:20:01 GMT
To: full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2009:003  http://www.mandriva.com/security/
Package : python Date : January 9, 2009 Affected: 2008.0, 2008.1, 2009.0, Corporate 4.0
_______________________________________________________________________

 Problem Description:

 Multiple integer overflows in imageop.c in the imageop module in  Python 1.5.2 through 2.5.1 allow context-dependent attackers to  break out of the Python VM and execute arbitrary code via large  integer values in certain arguments to the crop function, leading to  a buffer overflow, a different vulnerability than CVE-2007-4965 and  CVE-2008-1679. (CVE-2008-4864)    Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6,  allow context-dependent attackers to have an unknown impact via  a large integer value in the tabsize argument to the expandtabs  method, as implemented by (1) the string_expandtabs function in  Objects/stringobject.c and (2) the unicode_expandtabs function in  Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists  because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031)  

 The updated Python packages have been patched to correct these issues.


 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031


 Updated Packages:

 Mandriva Linux 2008.0: 99e168ac1b7ae4bd0d340c2aac462e19 2008.0/i586/libpython2.5-2.5.2-2.3mdv2008.0.i586.rpm 8ddb89d22f9456e52758bdfc060cede1 2008.0/i586/libpython2.5-devel-2.5.2-2.3mdv2008.0.i586.rpm c5b19e98a095f6000d5adc2009246ebb 2008.0/i586/python-2.5.2-2.3mdv2008.0.i586.rpm 4ce7cec71582068f7d5a00e1b53d9b2d 2008.0/i586/python-base-2.5.2-2.3mdv2008.0.i586.rpm ad15a443a4f832e44864a83c2a6d6e4c 2008.0/i586/python-docs-2.5.2-2.3mdv2008.0.i586.rpm 1983242f6100f957af9d264de98119ec 2008.0/i586/tkinter-2.5.2-2.3mdv2008.0.i586.rpm e99d03ebb07f9e6fc47f8619ea8cb832 2008.0/i586/tkinter-apps-2.5.2-2.3mdv2008.0.i586.rpm 2f8ff50c56f46c191b63878f11f7f606 2008.0/SRPMS/python-2.5.2-2.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64: 7b80a39d64b3a62eabd72cd63df8f2b4 2008.0/x86_64/lib64python2.5-2.5.2-2.3mdv2008.0.x86_64.rpm bcb2d996aa22e004a8d1c142a62b852f 2008.0/x86_64/lib64python2.5-devel-2.5.2-2.3mdv2008.0.x86_64.rpm 75b8005ecb4df3d51da30a308ff7864b 2008.0/x86_64/python-2.5.2-2.3mdv2008.0.x86_64.rpm 1ee083182c06c5661a2d49e378fe314a 2008.0/x86_64/python-base-2.5.2-2.3mdv2008.0.x86_64.rpm 71659dba30fb79c8890992ff77cfae08 2008.0/x86_64/python-docs-2.5.2-2.3mdv2008.0.x86_64.rpm f03df81a9505fc5480f717267eb4f59c 2008.0/x86_64/tkinter-2.5.2-2.3mdv2008.0.x86_64.rpm 8bbf6f28976deb9dc9c1651f4179bf3c 2008.0/x86_64/tkinter-apps-2.5.2-2.3mdv2008.0.x86_64.rpm 2f8ff50c56f46c191b63878f11f7f606 2008.0/SRPMS/python-2.5.2-2.3mdv2008.0.src.rpm

 Mandriva Linux 2008.1: 40768be47280f91652106cae7d52bac3 2008.1/i586/libpython2.5-2.5.2-2.3mdv2008.1.i586.rpm f740a094492e495a7058324c9d7fe5c0 2008.1/i586/libpython2.5-devel-2.5.2-2.3mdv2008.1.i586.rpm 8a3a54d6633b1067a303266551fbf11c 2008.1/i586/python-2.5.2-2.3mdv2008.1.i586.rpm 6ec33343842298ff0e8719cb69d8d8dd 2008.1/i586/python-base-2.5.2-2.3mdv2008.1.i586.rpm 6cf93281ad513c769a27e1a0aed24d89 2008.1/i586/python-docs-2.5.2-2.3mdv2008.1.i586.rpm 13b6d462c97fae761f889a9ef1f00445 2008.1/i586/tkinter-2.5.2-2.3mdv2008.1.i586.rpm 7503eb04531c6705d544a029575d5ba1 2008.1/i586/tkinter-apps-2.5.2-2.3mdv2008.1.i586.rpm befe989985d13d16f6f23b9c44300010 2008.1/SRPMS/python-2.5.2-2.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64: 51bf8e6e9cfe26fc06540fb2e9c89a97 2008.1/x86_64/lib64python2.5-2.5.2-2.3mdv2008.1.x86_64.rpm bdf744158bd3d0e856d34341db8f9766 2008.1/x86_64/lib64python2.5-devel-2.5.2-2.3mdv2008.1.x86_64.rpm 2e48265c3457815f1d8079bbbf289415 2008.1/x86_64/python-2.5.2-2.3mdv2008.1.x86_64.rpm c6b77afb3b6f1263602d1ddcbb010582 2008.1/x86_64/python-base-2.5.2-2.3mdv2008.1.x86_64.rpm d771f65c3c683e15688e243d7f6b5b31 2008.1/x86_64/python-docs-2.5.2-2.3mdv2008.1.x86_64.rpm d392466b1043ed47431e26780402a923 2008.1/x86_64/tkinter-2.5.2-2.3mdv2008.1.x86_64.rpm 0c333970463f34e01192f50025e5418a 2008.1/x86_64/tkinter-apps-2.5.2-2.3mdv2008.1.x86_64.rpm befe989985d13d16f6f23b9c44300010 2008.1/SRPMS/python-2.5.2-2.3mdv2008.1.src.rpm

 Mandriva Linux 2009.0: 51130cd5a5075d3ba29c3b65393950fe 2009.0/i586/libpython2.5-2.5.2-5.2mdv2009.0.i586.rpm e9a3c47de92e69dc45ee78ec09fdcdf7 2009.0/i586/libpython2.5-devel-2.5.2-5.2mdv2009.0.i586.rpm 1512cc21647372972d62143538110f0b 2009.0/i586/python-2.5.2-5.2mdv2009.0.i586.rpm 1ee69545d6e690add84393551b3008fb 2009.0/i586/python-base-2.5.2-5.2mdv2009.0.i586.rpm 4c2cf514d3bb03dc5690341ef8b57345 2009.0/i586/python-docs-2.5.2-5.2mdv2009.0.i586.rpm 7f3d125f0c601fbc650441e9d3d84660 2009.0/i586/tkinter-2.5.2-5.2mdv2009.0.i586.rpm a5de9edf44334b6bd10914b29875b79d 2009.0/i586/tkinter-apps-2.5.2-5.2mdv2009.0.i586.rpm a693a961c64a55661ff434db34514e54 2009.0/SRPMS/python-2.5.2-5.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64: 6c08e75992d0dbcc0588486ba110b7d0 2009.0/x86_64/lib64python2.5-2.5.2-5.2mdv2009.0.x86_64.rpm 14b108a893efbe023251b153d1e82510 2009.0/x86_64/lib64python2.5-devel-2.5.2-5.2mdv2009.0.x86_64.rpm 993aae03321911db6a6658b1d9c59770 2009.0/x86_64/python-2.5.2-5.2mdv2009.0.x86_64.rpm 2b7c1156968c717a439bc0f09cae6377 2009.0/x86_64/python-base-2.5.2-5.2mdv2009.0.x86_64.rpm 0d3827f4b2abd8d8708374a10f3d6a29 2009.0/x86_64/python-docs-2.5.2-5.2mdv2009.0.x86_64.rpm 850ba6348ca56583ac9d9cdcfe363cf9 2009.0/x86_64/tkinter-2.5.2-5.2mdv2009.0.x86_64.rpm 36bd4ed23029a5c85846306722c5c539 2009.0/x86_64/tkinter-apps-2.5.2-5.2mdv2009.0.x86_64.rpm a693a961c64a55661ff434db34514e54 2009.0/SRPMS/python-2.5.2-5.2mdv2009.0.src.rpm

 Corporate 4.0: d1aaa4775604a3de987ea812484cbbe4 corporate/4.0/i586/libpython2.4-2.4.5-0.2.20060mlcs4.i586.rpm 044319e405c74c74ada649911fea096b corporate/4.0/i586/libpython2.4-devel-2.4.5-0.2.20060mlcs4.i586.rpm 70a92760d7ee37150357fd5eed43d0cd corporate/4.0/i586/python-2.4.5-0.2.20060mlcs4.i586.rpm dd69e4feb812394c47140b42ec319dad corporate/4.0/i586/python-base-2.4.5-0.2.20060mlcs4.i586.rpm 40137c85bd8f45948823be862da2c224 corporate/4.0/i586/python-docs-2.4.5-0.2.20060mlcs4.i586.rpm 2f226b42cb832b2c9860f18528a71936 corporate/4.0/i586/tkinter-2.4.5-0.2.20060mlcs4.i586.rpm 83a6e83bb1b31cb4b5a43628e6a762d4 corporate/4.0/SRPMS/python-2.4.5-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64: 496d164ca85142afa629e3ea374810d2 corporate/4.0/x86_64/lib64python2.4-2.4.5-0.2.20060mlcs4.x86_64.rpm 0ee91a3adf261607b8df677d98b45704 corporate/4.0/x86_64/lib64python2.4-devel-2.4.5-0.2.20060mlcs4.x86_64.rpm 05be6f567bd0ae454878fbc91950d5e0 corporate/4.0/x86_64/python-2.4.5-0.2.20060mlcs4.x86_64.rpm 5fcaa1f9cc19b6c7a69422fee87081cb corporate/4.0/x86_64/python-base-2.4.5-0.2.20060mlcs4.x86_64.rpm e449b5dc09573a81c2d46305c0dcc641 corporate/4.0/x86_64/python-docs-2.4.5-0.2.20060mlcs4.x86_64.rpm 7e41ff74e33e237c319c36d7de726f3c corporate/4.0/x86_64/tkinter-2.4.5-0.2.20060mlcs4.x86_64.rpm 83a6e83bb1b31cb4b5a43628e6a762d4 corporate/4.0/SRPMS/python-2.4.5-0.2.20060mlcs4.src.rpm
_______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi. The verification  of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security. You can obtain the  GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com


 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Mandriva Security Team   <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJZ8kcmqjQ0CJFipgRAid1AJ4r2XGu3/mwmj94DeibPLPf3SLhcQCeLATO i4D9EZtmJCdN/0XK3eWOBnc=
=iXWH
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/