Re: [SECURITY] [DSA 1620-1] New python2.5 packages fix several vulnerabilities
On Sun, Jul 27, 2008 at 03:13:22PM +0200, Moritz Muehlenhoff wrote:
> CVE-2007-4965
>
> It was discovered that several integer overflows in the imageop
> module may lead to the execution of arbitrary code, if a user is
> tricked into processing malformed images. This issue is also
> tracked as CVE-2008-1679 due to an initially incomplete patch.
>
> For the stable distribution (etch), these problems have been fixed in
> version 2.5-5+etch1.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 2.5.2-3.
I wanted to check on this pair of CVEs. In 2.5.2-3, there is a distinct
patch for CVE-2008-1679. 2.5-5+etch1 and 2.5.2-3 have identical patches
for CVE-2007-4965. This would seem to imply that 2.5-5+etch1 has the
same "incomplete" patch for CVE-2007-4965, and still needs the fixes
for CVE-2008-1679. Am I misunderstanding something?
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
Reply to: