Rapid7 Vulnerability & Exploit Database

RHSA-2009:1177: python security update

Back to Search

RHSA-2009:1177: python security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
11/10/2008
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

Python is an interpreted, interactive, object-oriented programminglanguage.When the assert() system call was disabled, an input sanitization flaw wasrevealed in the Python string object implementation that led to a bufferoverflow. The missing check for negative size values meant the Pythonmemory allocator could allocate less memory than expected. This couldresult in arbitrary code execution with the Python interpreter'sprivileges. (CVE-2008-1887)Multiple buffer and integer overflow flaws were found in the Python Unicodestring processing and in the Python Unicode and string objectimplementations. An attacker could use these flaws to cause a denial ofservice (Python application crash). (CVE-2008-3142, CVE-2008-5031)Multiple integer overflow flaws were found in the Python imageop module. Ifa Python application used the imageop module to process untrusted images,it could cause the application to crash or, potentially, execute arbitrarycode with the Python interpreter's privileges. (CVE-2008-1679,CVE-2008-4864)Multiple integer underflow and overflow flaws were found in the Pythonsnprintf() wrapper implementation. An attacker could use these flaws tocause a denial of service (memory corruption). (CVE-2008-3144)Multiple integer overflow flaws were found in various Python modules. Anattacker could use these flaws to cause a denial of service (Pythonapplication crash). (CVE-2008-2315, CVE-2008-3143)An integer signedness error, leading to a buffer overflow, was foundin the Python zlib extension module. If a Python application requestedthe negative byte count be flushed for a decompression stream, it couldcause the application to crash or, potentially, execute arbitrary codewith the Python interpreter's privileges. (CVE-2008-1721)Red Hat would like to thank David Remahl of the Apple Product Security teamfor responsibly reporting the CVE-2008-1679 and CVE-2008-2315 issues.All Python users should upgrade to these updated packages, which containbackported patches to correct these issues.

Solution(s)

  • redhat-upgrade-python
  • redhat-upgrade-python-devel
  • redhat-upgrade-python-docs
  • redhat-upgrade-python-tools
  • redhat-upgrade-tkinter

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;