Rapid7 Vulnerability & Exploit Database

RHSA-2011:0027: python security, bug fix, and enhancement update

Back to Search

RHSA-2011:0027: python security, bug fix, and enhancement update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
05/27/2010
Created
07/25/2018
Added
01/13/2011
Modified
07/04/2017

Description

Python is an interpreted, interactive, object-oriented programminglanguage.It was found that many applications embedding the Python interpreter didnot specify a valid full path to the script or application when calling thePySys_SetArgv API function, which could result in the addition of thecurrent working directory to the module search path (sys.path). A localattacker able to trick a victim into running such an application in anattacker-controlled directory could use this flaw to execute code with thevictim's privileges. This update adds the PySys_SetArgvEx API. Developerscan modify their applications to use this new API, which sets sys.argvwithout modifying sys.path. (CVE-2008-5983)Multiple flaws were found in the Python rgbimg module. If an applicationwritten in Python was using the rgbimg module and loaded aspecially-crafted SGI image file, it could cause the application to crashor, possibly, execute arbitrary code with the privileges of the userrunning the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)Multiple flaws were found in the Python audioop module. Supplying certaininputs could cause the audioop module to crash or, possibly, executearbitrary code. (CVE-2010-1634, CVE-2010-2089)This update also fixes the following bugs: ValueError: filedescriptor out of range in select()This was due to the subprocess module using the "select" system call. Themodule now uses the "poll" system call, removing this limitation.(BZ#609020)As well, this update adds the following enhancements:All Python users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues and add theseenhancements.

Solution(s)

  • redhat-upgrade-python
  • redhat-upgrade-python-devel
  • redhat-upgrade-python-libs
  • redhat-upgrade-python-tools
  • redhat-upgrade-tkinter

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;