[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1620-1] New python2.5 packages fix several vulnerabilities

On Sun, Jul 27, 2008 at 03:13:22PM +0200, Moritz Muehlenhoff wrote:
> CVE-2007-4965
>     It was discovered that several integer overflows in the imageop
>     module may lead to the execution of arbitrary code, if a user is
>     tricked into processing malformed images. This issue is also
>     tracked as CVE-2008-1679 due to an initially incomplete patch.
> For the stable distribution (etch), these problems have been fixed in
> version 2.5-5+etch1.
> For the unstable distribution (sid), these problems have been fixed in
> version 2.5.2-3.

I wanted to check on this pair of CVEs.  In 2.5.2-3, there is a distinct
patch for CVE-2008-1679. 2.5-5+etch1 and 2.5.2-3 have identical patches
for CVE-2007-4965.  This would seem to imply that 2.5-5+etch1 has the
same "incomplete" patch for CVE-2007-4965, and still needs the fixes
for CVE-2008-1679.  Am I misunderstanding something?



Kees Cook
Ubuntu Security Team

Reply to: