On 2008/08/04 21:50, Damien Miller wrote: > > Want to help? Then you can cherrypick the patches from the python 2.5 > > branch that close the vulnerabilities and post them to the list (as links > > to the svn changesets in the python webcvs/viewvc) matched against CVE > > numbers.
stringobject and zlib are easy enough, imageop less so. CVE-2008-1721 http://bugs.python.org/issue2586 "Python zlib module is prone to a remote buffer-overflow vulnerability because the library fails to properly sanitize user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition." "Fix zlib crash from zlib.decompressobj().flush(val) when val was not positive. It tried to allocate negative or zero memory. That fails." http://svn.python.org/view/python/trunk/Lib/test/test_zlib.py?p2=%2Fpython%2Ftrunk%2FLib%2Ftest%2Ftest_zlib.py&p1=python%2Ftrunk%2FLib%2Ftest%2Ftest_zlib.py&r1=62235&r2=62234&rev=62235&view=diff&makepatch=1&diff_format=h http://svn.python.org/view/python/trunk/Modules/zlibmodule.c?p2=%2Fpython%2Ftrunk%2FModules%2Fzlibmodule.c&p1=python%2Ftrunk%2FModules%2Fzlibmodule.c&r1=62235&r2=62234&rev=62235&view=diff&makepatch=1&diff_format=h CVE-2008-1887 http://bugs.python.org/issue2587 "Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size parameter but was not verifying that it was greater than zero. Values less than zero will now raise a SystemError and return NULL to indicate a bug in the calling C code." "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow." http://svn.python.org/view/python/branches/release25-maint/Objects/stringobject.c?p2=%2Fpython%2Fbranches%2Frelease25-maint%2FObjects%2Fstringobject.c&p1=python%2Fbranches%2Frelease25-maint%2FObjects%2Fstringobject.c&r1=62262&r2=62261&rev=62262&view=diff&makepatch=1&diff_format=h CVE-2007-4965 CVE-2008-1679 http://bugs.python.org/issue1179 "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows." Looks like it's only partially fixed in their tree. http://bugs.python.org/file8592/python-2.5.CVE-2007-4965-int-overflow.patch http://bugs.python.org/file9975/python-2.5-int-overflow-2.patch http://svn.python.org/view/python/branches/release25-maint/Modules/imageop.c http://svn.python.org/view/python/branches/release25-maint/Modules/rgbimgmodule.c
