Date: Mon, 28 Apr 2008 00:00:22 GMT From: Nick Barkas <snb@threerings.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/123153: Integer signedness bug in zlib module of lang/python23 and lang/python24 Message-ID: <200804280000.m3S00MTb085046@www.freebsd.org> Resent-Message-ID: <200804280010.m3S0A0cf090884@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 123153 >Category: ports >Synopsis: Integer signedness bug in zlib module of lang/python23 and lang/python24 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Apr 28 00:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: 7.0-RELEASE >Organization: Three Rings Design >Environment: FreeBSD maguro.moduli.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: Python 2.3 and 2.4 suffer from the same integer signedness bug in the zlib module as was fixed recently in the port python25-2.5.2_2. See http://www.vuxml.org/freebsd/ec41c3e2-129c-11dd-bab7-0016179b2dd5.html >How-To-Repeat: Run either of the scipts python-2.5.2-zlib-unflush-misallocation.py or python-2.5.2-zlib-unflush-signedness.py attached to the bug reported at http://bugs.python.org/issue2586. Unpatched python 2.3 or 2.4 will crash, just as unpatched python 2.5 will. >Fix: Add the patch currently in lang/python25/files/patch-Modules-zlibmodule.c to lang/python24/files and lang/python23/files. It would also be good to update security/vuxml/vuln.xml to note that the vulnerability also affects python23 and python24 packages with version and port revision numbers before this patch is added. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804280000.m3S00MTb085046>