Skip to navigation

Security Advisory Moderate: python security update

Advisory: RHSA-2009:1178-1
Type: Security Advisory
Severity: Moderate
Issued on: 2009-07-27
Last updated on: 2009-07-27
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2008-1679
CVE-2008-1887
CVE-2008-2315
CVE-2008-3142
CVE-2008-3143
CVE-2008-3144
CVE-2008-4864
CVE-2008-5031

Details

Updated python packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Python is an interpreted, interactive, object-oriented programming
language.

When the assert() system call was disabled, an input sanitization flaw was
revealed in the Python string object implementation that led to a buffer
overflow. The missing check for negative size values meant the Python
memory allocator could allocate less memory than expected. This could
result in arbitrary code execution with the Python interpreter's
privileges. (CVE-2008-1887)

Multiple buffer and integer overflow flaws were found in the Python Unicode
string processing and in the Python Unicode and string object
implementations. An attacker could use these flaws to cause a denial of
service (Python application crash). (CVE-2008-3142, CVE-2008-5031)

Multiple integer overflow flaws were found in the Python imageop module. If
a Python application used the imageop module to process untrusted images,
it could cause the application to crash or, potentially, execute arbitrary
code with the Python interpreter's privileges. (CVE-2008-1679,
CVE-2008-4864)

Multiple integer underflow and overflow flaws were found in the Python
snprintf() wrapper implementation. An attacker could use these flaws to
cause a denial of service (memory corruption). (CVE-2008-3144)

Multiple integer overflow flaws were found in various Python modules. An
attacker could use these flaws to cause a denial of service (Python
application crash). (CVE-2008-2315, CVE-2008-3143)

Red Hat would like to thank David Remahl of the Apple Product Security team
for responsibly reporting the CVE-2008-1679 and CVE-2008-2315 issues.

All Python users should upgrade to these updated packages, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/SRPMS/python-2.2.3-6.11.src.rpm
Missing file
    MD5: 9ed0183360cef352c1856f7fc3556b54
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/i386/python-2.2.3-6.11.i386.rpm
Missing file
    MD5: bd8c30a1117c7c42dd5e276e7386cba4
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/i386/python-devel-2.2.3-6.11.i386.rpm
Missing file
    MD5: f4bf05d7b095be95f7374341e1cc11cb
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/i386/python-tools-2.2.3-6.11.i386.rpm
Missing file
    MD5: 2fced345bcf673e8056f0c74cf46a3ff
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/i386/tkinter-2.2.3-6.11.i386.rpm
Missing file
    MD5: 0ed824d905a0689eb5813ff204faef93
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/x86_64/python-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 0d173e6c43c78432fd06774679d26491
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/x86_64/python-devel-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 25ec58c4c9361f1adc9a12a483f0c591
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/x86_64/python-tools-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 91542010581443c1e101eea6250445ce
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/x86_64/tkinter-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 2944c146ba65a3195919c167036fb928
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/SRPMS/python-2.2.3-6.11.src.rpm
Missing file
    MD5: 9ed0183360cef352c1856f7fc3556b54
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/i386/python-2.2.3-6.11.i386.rpm
Missing file
    MD5: bd8c30a1117c7c42dd5e276e7386cba4
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/i386/python-devel-2.2.3-6.11.i386.rpm
Missing file
    MD5: f4bf05d7b095be95f7374341e1cc11cb
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/i386/python-tools-2.2.3-6.11.i386.rpm
Missing file
    MD5: 2fced345bcf673e8056f0c74cf46a3ff
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/i386/tkinter-2.2.3-6.11.i386.rpm
Missing file
    MD5: 0ed824d905a0689eb5813ff204faef93
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/ia64/python-2.2.3-6.11.ia64.rpm
Missing file
    MD5: edfa27dbeeabb0089dc662de67b0402c
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/ia64/python-devel-2.2.3-6.11.ia64.rpm
Missing file
    MD5: ca3666d751140cac84309a438d10a6c0
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/ia64/python-tools-2.2.3-6.11.ia64.rpm
Missing file
    MD5: e71e2ccb68c3f37a404eaa530f202bd7
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/ia64/tkinter-2.2.3-6.11.ia64.rpm
Missing file
    MD5: 6ac2c138e49e04057a0264e55501fe5a
 
PPC:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/ppc/python-2.2.3-6.11.ppc.rpm
Missing file
    MD5: 0ef85c25fac96a479179f16f2ed7c3e2
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/ppc/python-devel-2.2.3-6.11.ppc.rpm
Missing file
    MD5: 5580fe6af2c129865e5ad4d5ee7c1290
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/ppc/python-tools-2.2.3-6.11.ppc.rpm
Missing file
    MD5: c2d3af115f87a457a1c405397141a2f3
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/ppc/tkinter-2.2.3-6.11.ppc.rpm
Missing file
    MD5: b4106a12c36a90b385d813dc24fbf60a
 
s390:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/s390/python-2.2.3-6.11.s390.rpm
Missing file
    MD5: df45597fec23edabfb39378b74c06838
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/s390/python-devel-2.2.3-6.11.s390.rpm
Missing file
    MD5: 68a91d295739111bbd693e6c6ebdea6a
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/s390/python-tools-2.2.3-6.11.s390.rpm
Missing file
    MD5: 68495573d321731ec470375133650c3e
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/s390/tkinter-2.2.3-6.11.s390.rpm
Missing file
    MD5: 8a0274d7cb1c70f2796edececc1c2cce
 
s390x:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/s390x/python-2.2.3-6.11.s390x.rpm
Missing file
    MD5: b56a5d4b87ae6b95a2a103feee237a44
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/s390x/python-devel-2.2.3-6.11.s390x.rpm
Missing file
    MD5: 49cff3fe8812fc2f86362cbcad0ab160
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/s390x/python-tools-2.2.3-6.11.s390x.rpm
Missing file
    MD5: 2bb5fb951ba5d6b04876d605446168ec
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/s390x/tkinter-2.2.3-6.11.s390x.rpm
Missing file
    MD5: 232bbc5a996f573320461da3cc2f1d83
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/x86_64/python-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 0d173e6c43c78432fd06774679d26491
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/x86_64/python-devel-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 25ec58c4c9361f1adc9a12a483f0c591
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/x86_64/python-tools-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 91542010581443c1e101eea6250445ce
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/x86_64/tkinter-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 2944c146ba65a3195919c167036fb928
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/SRPMS/python-2.2.3-6.11.src.rpm
Missing file
    MD5: 9ed0183360cef352c1856f7fc3556b54
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/i386/python-2.2.3-6.11.i386.rpm
Missing file
    MD5: bd8c30a1117c7c42dd5e276e7386cba4
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/i386/python-devel-2.2.3-6.11.i386.rpm
Missing file
    MD5: f4bf05d7b095be95f7374341e1cc11cb
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/i386/python-tools-2.2.3-6.11.i386.rpm
Missing file
    MD5: 2fced345bcf673e8056f0c74cf46a3ff
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/i386/tkinter-2.2.3-6.11.i386.rpm
Missing file
    MD5: 0ed824d905a0689eb5813ff204faef93
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/ia64/python-2.2.3-6.11.ia64.rpm
Missing file
    MD5: edfa27dbeeabb0089dc662de67b0402c
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/ia64/python-devel-2.2.3-6.11.ia64.rpm
Missing file
    MD5: ca3666d751140cac84309a438d10a6c0
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/ia64/python-tools-2.2.3-6.11.ia64.rpm
Missing file
    MD5: e71e2ccb68c3f37a404eaa530f202bd7
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/ia64/tkinter-2.2.3-6.11.ia64.rpm
Missing file
    MD5: 6ac2c138e49e04057a0264e55501fe5a
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/x86_64/python-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 0d173e6c43c78432fd06774679d26491
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/x86_64/python-devel-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 25ec58c4c9361f1adc9a12a483f0c591
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/x86_64/python-tools-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 91542010581443c1e101eea6250445ce
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/x86_64/tkinter-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 2944c146ba65a3195919c167036fb928
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/SRPMS/python-2.2.3-6.11.src.rpm
Missing file
    MD5: 9ed0183360cef352c1856f7fc3556b54
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/i386/python-2.2.3-6.11.i386.rpm
Missing file
    MD5: bd8c30a1117c7c42dd5e276e7386cba4
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/i386/python-devel-2.2.3-6.11.i386.rpm
Missing file
    MD5: f4bf05d7b095be95f7374341e1cc11cb
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/i386/python-tools-2.2.3-6.11.i386.rpm
Missing file
    MD5: 2fced345bcf673e8056f0c74cf46a3ff
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/i386/tkinter-2.2.3-6.11.i386.rpm
Missing file
    MD5: 0ed824d905a0689eb5813ff204faef93
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/ia64/python-2.2.3-6.11.ia64.rpm
Missing file
    MD5: edfa27dbeeabb0089dc662de67b0402c
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/ia64/python-devel-2.2.3-6.11.ia64.rpm
Missing file
    MD5: ca3666d751140cac84309a438d10a6c0
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/ia64/python-tools-2.2.3-6.11.ia64.rpm
Missing file
    MD5: e71e2ccb68c3f37a404eaa530f202bd7
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/ia64/tkinter-2.2.3-6.11.ia64.rpm
Missing file
    MD5: 6ac2c138e49e04057a0264e55501fe5a
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/python/2.2.3-6.11/x86_64/python-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 0d173e6c43c78432fd06774679d26491
ftp://updates.redhat.com/rhn/public/NULL/python-devel/2.2.3-6.11/x86_64/python-devel-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 25ec58c4c9361f1adc9a12a483f0c591
ftp://updates.redhat.com/rhn/public/NULL/python-tools/2.2.3-6.11/x86_64/python-tools-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 91542010581443c1e101eea6250445ce
ftp://updates.redhat.com/rhn/public/NULL/tkinter/2.2.3-6.11/x86_64/tkinter-2.2.3-6.11.x86_64.rpm
Missing file
    MD5: 2944c146ba65a3195919c167036fb928
 

Bugs fixed (see bugzilla for more information)

441306 - CVE-2008-1679 python: imageop module integer overflows
443810 - CVE-2008-1887 python: PyString_FromStringAndSize does not check for negative size values
454990 - CVE-2008-3142 python: Multiple buffer overflows in unicode processing
455008 - CVE-2008-2315 python: Multiple integer overflows in python core
455013 - CVE-2008-3143 python: Multiple integer overflows discovered by Google
455018 - CVE-2008-3144 python: Potential integer underflow and overflow in the PyOS_vsnprintf C API function
469656 - CVE-2008-4864 python: imageop module multiple integer overflows
470915 - CVE-2008-5031 python: stringobject, unicodeobject integer overflows


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/