Arch Linux Security Advisory ASA-201409-3 =========================================
Severity: Low Date : 2014-09-26 CVE-ID : CVE-2014-7185 Package : python2 Type : Integer overflow Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package python2 before version 2.7.8-1 is vulnerable to an integer overflow vulnerability. Resolution ========== Upgrade to 2.7.8-1. $ pacman -Syu "python2>=2.7.8-1" The problem has been fixed upstream in version 2.7.8 [1]. Workaround ========== None. Description =========== It was reported that Python 2.7.8 fixes a potential wraparound in buffer() with possible CWE-200 implications. This could allow an attacker to access private information through information leakage. PoC: --- overflow.py --- import sys a = bytearray('here be dragons') b = buffer(a, sys.maxsize, sys.maxsize) print b[:8192] ------------------- References ========== [1] https://www.python.org/downloads/release/python-278/ http://bugs.python.org/issue21831 https://bugzilla.redhat.com/show_bug.cgi?id=1146026
signature.asc
Description: OpenPGP digital signature
