<<< Date Index >>>     <<< Thread Index >>>

[ MDVSA-2009:003 ] python



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:003
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : python
 Date    : January 9, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple integer overflows in imageop.c in the imageop module in
 Python 1.5.2 through 2.5.1 allow context-dependent attackers to
 break out of the Python VM and execute arbitrary code via large
 integer values in certain arguments to the crop function, leading to
 a buffer overflow, a different vulnerability than CVE-2007-4965 and
 CVE-2008-1679. (CVE-2008-4864)
 
 Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6,
 allow context-dependent attackers to have an unknown impact via
 a large integer value in the tabsize argument to the expandtabs
 method, as implemented by (1) the string_expandtabs function in
 Objects/stringobject.c and (2) the unicode_expandtabs function in
 Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists
 because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031)
 
 The updated Python packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 99e168ac1b7ae4bd0d340c2aac462e19  
2008.0/i586/libpython2.5-2.5.2-2.3mdv2008.0.i586.rpm
 8ddb89d22f9456e52758bdfc060cede1  
2008.0/i586/libpython2.5-devel-2.5.2-2.3mdv2008.0.i586.rpm
 c5b19e98a095f6000d5adc2009246ebb  
2008.0/i586/python-2.5.2-2.3mdv2008.0.i586.rpm
 4ce7cec71582068f7d5a00e1b53d9b2d  
2008.0/i586/python-base-2.5.2-2.3mdv2008.0.i586.rpm
 ad15a443a4f832e44864a83c2a6d6e4c  
2008.0/i586/python-docs-2.5.2-2.3mdv2008.0.i586.rpm
 1983242f6100f957af9d264de98119ec  
2008.0/i586/tkinter-2.5.2-2.3mdv2008.0.i586.rpm
 e99d03ebb07f9e6fc47f8619ea8cb832  
2008.0/i586/tkinter-apps-2.5.2-2.3mdv2008.0.i586.rpm 
 2f8ff50c56f46c191b63878f11f7f606  
2008.0/SRPMS/python-2.5.2-2.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 7b80a39d64b3a62eabd72cd63df8f2b4  
2008.0/x86_64/lib64python2.5-2.5.2-2.3mdv2008.0.x86_64.rpm
 bcb2d996aa22e004a8d1c142a62b852f  
2008.0/x86_64/lib64python2.5-devel-2.5.2-2.3mdv2008.0.x86_64.rpm
 75b8005ecb4df3d51da30a308ff7864b  
2008.0/x86_64/python-2.5.2-2.3mdv2008.0.x86_64.rpm
 1ee083182c06c5661a2d49e378fe314a  
2008.0/x86_64/python-base-2.5.2-2.3mdv2008.0.x86_64.rpm
 71659dba30fb79c8890992ff77cfae08  
2008.0/x86_64/python-docs-2.5.2-2.3mdv2008.0.x86_64.rpm
 f03df81a9505fc5480f717267eb4f59c  
2008.0/x86_64/tkinter-2.5.2-2.3mdv2008.0.x86_64.rpm
 8bbf6f28976deb9dc9c1651f4179bf3c  
2008.0/x86_64/tkinter-apps-2.5.2-2.3mdv2008.0.x86_64.rpm 
 2f8ff50c56f46c191b63878f11f7f606  
2008.0/SRPMS/python-2.5.2-2.3mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 40768be47280f91652106cae7d52bac3  
2008.1/i586/libpython2.5-2.5.2-2.3mdv2008.1.i586.rpm
 f740a094492e495a7058324c9d7fe5c0  
2008.1/i586/libpython2.5-devel-2.5.2-2.3mdv2008.1.i586.rpm
 8a3a54d6633b1067a303266551fbf11c  
2008.1/i586/python-2.5.2-2.3mdv2008.1.i586.rpm
 6ec33343842298ff0e8719cb69d8d8dd  
2008.1/i586/python-base-2.5.2-2.3mdv2008.1.i586.rpm
 6cf93281ad513c769a27e1a0aed24d89  
2008.1/i586/python-docs-2.5.2-2.3mdv2008.1.i586.rpm
 13b6d462c97fae761f889a9ef1f00445  
2008.1/i586/tkinter-2.5.2-2.3mdv2008.1.i586.rpm
 7503eb04531c6705d544a029575d5ba1  
2008.1/i586/tkinter-apps-2.5.2-2.3mdv2008.1.i586.rpm 
 befe989985d13d16f6f23b9c44300010  
2008.1/SRPMS/python-2.5.2-2.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 51bf8e6e9cfe26fc06540fb2e9c89a97  
2008.1/x86_64/lib64python2.5-2.5.2-2.3mdv2008.1.x86_64.rpm
 bdf744158bd3d0e856d34341db8f9766  
2008.1/x86_64/lib64python2.5-devel-2.5.2-2.3mdv2008.1.x86_64.rpm
 2e48265c3457815f1d8079bbbf289415  
2008.1/x86_64/python-2.5.2-2.3mdv2008.1.x86_64.rpm
 c6b77afb3b6f1263602d1ddcbb010582  
2008.1/x86_64/python-base-2.5.2-2.3mdv2008.1.x86_64.rpm
 d771f65c3c683e15688e243d7f6b5b31  
2008.1/x86_64/python-docs-2.5.2-2.3mdv2008.1.x86_64.rpm
 d392466b1043ed47431e26780402a923  
2008.1/x86_64/tkinter-2.5.2-2.3mdv2008.1.x86_64.rpm
 0c333970463f34e01192f50025e5418a  
2008.1/x86_64/tkinter-apps-2.5.2-2.3mdv2008.1.x86_64.rpm 
 befe989985d13d16f6f23b9c44300010  
2008.1/SRPMS/python-2.5.2-2.3mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 51130cd5a5075d3ba29c3b65393950fe  
2009.0/i586/libpython2.5-2.5.2-5.2mdv2009.0.i586.rpm
 e9a3c47de92e69dc45ee78ec09fdcdf7  
2009.0/i586/libpython2.5-devel-2.5.2-5.2mdv2009.0.i586.rpm
 1512cc21647372972d62143538110f0b  
2009.0/i586/python-2.5.2-5.2mdv2009.0.i586.rpm
 1ee69545d6e690add84393551b3008fb  
2009.0/i586/python-base-2.5.2-5.2mdv2009.0.i586.rpm
 4c2cf514d3bb03dc5690341ef8b57345  
2009.0/i586/python-docs-2.5.2-5.2mdv2009.0.i586.rpm
 7f3d125f0c601fbc650441e9d3d84660  
2009.0/i586/tkinter-2.5.2-5.2mdv2009.0.i586.rpm
 a5de9edf44334b6bd10914b29875b79d  
2009.0/i586/tkinter-apps-2.5.2-5.2mdv2009.0.i586.rpm 
 a693a961c64a55661ff434db34514e54  
2009.0/SRPMS/python-2.5.2-5.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 6c08e75992d0dbcc0588486ba110b7d0  
2009.0/x86_64/lib64python2.5-2.5.2-5.2mdv2009.0.x86_64.rpm
 14b108a893efbe023251b153d1e82510  
2009.0/x86_64/lib64python2.5-devel-2.5.2-5.2mdv2009.0.x86_64.rpm
 993aae03321911db6a6658b1d9c59770  
2009.0/x86_64/python-2.5.2-5.2mdv2009.0.x86_64.rpm
 2b7c1156968c717a439bc0f09cae6377  
2009.0/x86_64/python-base-2.5.2-5.2mdv2009.0.x86_64.rpm
 0d3827f4b2abd8d8708374a10f3d6a29  
2009.0/x86_64/python-docs-2.5.2-5.2mdv2009.0.x86_64.rpm
 850ba6348ca56583ac9d9cdcfe363cf9  
2009.0/x86_64/tkinter-2.5.2-5.2mdv2009.0.x86_64.rpm
 36bd4ed23029a5c85846306722c5c539  
2009.0/x86_64/tkinter-apps-2.5.2-5.2mdv2009.0.x86_64.rpm 
 a693a961c64a55661ff434db34514e54  
2009.0/SRPMS/python-2.5.2-5.2mdv2009.0.src.rpm

 Corporate 4.0:
 d1aaa4775604a3de987ea812484cbbe4  
corporate/4.0/i586/libpython2.4-2.4.5-0.2.20060mlcs4.i586.rpm
 044319e405c74c74ada649911fea096b  
corporate/4.0/i586/libpython2.4-devel-2.4.5-0.2.20060mlcs4.i586.rpm
 70a92760d7ee37150357fd5eed43d0cd  
corporate/4.0/i586/python-2.4.5-0.2.20060mlcs4.i586.rpm
 dd69e4feb812394c47140b42ec319dad  
corporate/4.0/i586/python-base-2.4.5-0.2.20060mlcs4.i586.rpm
 40137c85bd8f45948823be862da2c224  
corporate/4.0/i586/python-docs-2.4.5-0.2.20060mlcs4.i586.rpm
 2f226b42cb832b2c9860f18528a71936  
corporate/4.0/i586/tkinter-2.4.5-0.2.20060mlcs4.i586.rpm 
 83a6e83bb1b31cb4b5a43628e6a762d4  
corporate/4.0/SRPMS/python-2.4.5-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 496d164ca85142afa629e3ea374810d2  
corporate/4.0/x86_64/lib64python2.4-2.4.5-0.2.20060mlcs4.x86_64.rpm
 0ee91a3adf261607b8df677d98b45704  
corporate/4.0/x86_64/lib64python2.4-devel-2.4.5-0.2.20060mlcs4.x86_64.rpm
 05be6f567bd0ae454878fbc91950d5e0  
corporate/4.0/x86_64/python-2.4.5-0.2.20060mlcs4.x86_64.rpm
 5fcaa1f9cc19b6c7a69422fee87081cb  
corporate/4.0/x86_64/python-base-2.4.5-0.2.20060mlcs4.x86_64.rpm
 e449b5dc09573a81c2d46305c0dcc641  
corporate/4.0/x86_64/python-docs-2.4.5-0.2.20060mlcs4.x86_64.rpm
 7e41ff74e33e237c319c36d7de726f3c  
corporate/4.0/x86_64/tkinter-2.4.5-0.2.20060mlcs4.x86_64.rpm 
 83a6e83bb1b31cb4b5a43628e6a762d4  
corporate/4.0/SRPMS/python-2.4.5-0.2.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJZ8kcmqjQ0CJFipgRAid1AJ4r2XGu3/mwmj94DeibPLPf3SLhcQCeLATO
i4D9EZtmJCdN/0XK3eWOBnc=
=iXWH
-----END PGP SIGNATURE-----