Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
From: "Mark H. Weaver" <mhw@netris.org>
Date: Sat, 8 Oct 2005 16:37:32 -0400
Message-id: <[🔎] 20051008203732.GB4268@strings>
In-reply-to: <m1EIjrd-000ohUC@finlandia.Infodrom.North.DE>
References: <m1EIjrd-000ohUC@finlandia.Infodrom.North.DE>

I just noticed that python2.1 on my woody system no longer knows about the
symbol False:

  mhw@world:~$ python2.1
  Python 2.1.3 (#1, Sep 15 2005, 09:09:06)
  [GCC 2.95.4 20011002 (Debian prerelease)] on linux2
  Type "copyright", "credits" or "license" for more information.
  >>> False
  Traceback (most recent call last):
    File "<stdin>", line 1, in ?
  NameError: name 'False' is not defined
  >>>
  mhw@world:~$ dpkg -l python2.1
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
  |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
  ||/ Name           Version        Description
  +++-==============-==============-============================================
  ii  python2.1      2.1.3-3.4      An interactive object-oriented scripting lan
  mhw@world:~$ 

I discovered this because a rarely-used python cgi-bin script on my
woody system stopped working.  Based on my logs, this script worked
properly on 19 Sept 2005 (4 days before this security advisory).  The
next time it was used (today) it failed because "False" is not
defined.  I have not modified the script since May 2005.  I've worked
around the problem for now by switching to python2.2, which still
works properly.

Could you please verify that you didn't break python2.1 on woody with
this security upgrade?

    Thanks,
      Mark


On Fri, Sep 23, 2005 at 11:29:05AM +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 819-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> September 23rd, 2005                    http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : python2.1
> Vulnerability  : integer overflow
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CAN-2005-2491
> BugTraq ID     : 14620
> Debian Bug     : 324531
> 
> An integer overflow with a subsequent buffer overflow has been detected
> in PCRE, the Perl Compatible Regular Expressions library, which allows
> an attacker to execute arbitrary code, and is also present in Python.
> Exploiting this vulnerability requires an attacker to specify the used
> regular expression.
> 
> For the old stable distribution (woody) this problem has been fixed in
> version 2.1.3-3.4.
> 
> For the stable distribution (sarge) this problem has been fixed in
> version 2.1.3dfsg-1sarge1.
> 
> For the unstable distribution (sid) this problem has been fixed in
> version 2.1.3dfsg-3.
> 
> We recommend that you upgrade your python2.1 packages.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
  - From: "Mark H. Weaver" <mhw@netris.org>

Prev by Date: Re: [SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities
Next by Date: Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
Previous by thread: Re: [SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities
Next by thread: Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
Index(es):
- Date
- Thread