SB2008070105 - Gentoo update for Python

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2008-1679)

The vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows.

2) Integer overflow (CVE-ID: CVE-2007-4965)

The vulnerability allows a remote non-authenticated attacker to read memory contents or crash the application.

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

3) Incorrect Conversion between Numeric Types (CVE-ID: CVE-2008-1721)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.

4) Buffer overflow (CVE-ID: CVE-2008-1887)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/200807-01