On 11/30/2012 10:54 AM, Saul Wold wrote:
On 11/30/2012 03:29 AM, yanjun.zhu wrote:
From: "yanjun.zhu" <[email protected]>
Reference:http://bugs.python.org/issue14579
The utf-16 decoder in Python 3.1 through 3.3 does not update the
aligned_end variable after calling the unicode_decode_call_errorhandler
function, which allows remote attackers to obtain sensitive information
(process memory) or cause a denial of service (memory corruption and
crash)
via unspecified vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
[YOCTO #3450]
Is this for Denzil or is there a 2.7.3 patch for this CVE? Both Danny
(1.3) and master are using Python 2.7.3, which does not seem to have
this CVE fixed yet.
The CVE link above states that the vulnerability exists only in python
v3.1 - 3.3. That would suggest it would not apply to denzil at all.
I'm thrilled to see more security fixes rolling in, but I'm not sure
what's going on if they do not apply to the versions of upstream
software we're shipping.
Scott
--
Scott Garman
Embedded Linux Engineer - Yocto Project
Intel Open Source Technology Center
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core