Date: Thu, 26 Apr 2012 22:01:20 -0400 From: Eitan Adler <lists@eitanadler.com> To: python@freebsd.org Cc: ports-security@freebsd.org Subject: Fwd: [oss-security] CVE Request: Python 3.2/3.3 utf-16 decoder unicode_decode_call_errorhandler aligned_end is not updated Message-ID: <CAF6rxg=8rTcXi%2B7tsdSLdBPuF9t9W3pHwC3RLpUhCtVeTQASEw@mail.gmail.com> In-Reply-To: <4F979B38.4000307@redhat.com> References: <4F979B38.4000307@redhat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Is anyone working on updating python and/or writing a vuxml report for this= ? CVE CVE-2012-2135 ---------- Forwarded message ---------- From: Kurt Seifried <kseifried@redhat.com> Date: 25 April 2012 02:35 Subject: [oss-security] CVE Request: Python 3.2/3.3 utf-16 decoder unicode_decode_call_errorhandler aligned_end is not updated To: "oss >> \"oss-security@lists.openwall.com\"" <oss-security@lists.openwall.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Python 3.2/3.3 utf-16 decoder unicode_decode_call_errorhandler aligned_end is not updated does not appear to affect Python 2.x memory leak/crashes/etc. http://bugs.python.org/issue14579 Author: Serhiy Storchaka (storchaka) =C2=A0 =C2=A0Date: 2012-04-14 18:46 In the utf-16 decoder after calling unicode_decode_call_errorhandler aligned_end is not updated. This may potentially cause data leaks, memory damage, and crash. The bug introduced by implementation of the issue #4868. In a similar situation in the utf-8 decoder aligned_end is updated. =3D=3D=3D=3D=3D=3D=3D=3D More discussion and links to the patches/etc. in the bug. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPl5s3AAoJEBYNRVNeJnmTSxEP/0BAZDzBuJC6jNAUBxp8BL0j a1NXA3N8JFNkHh4u0/G4VHlYBndMIDimfXf6jwd2mj37o9NpBG2prOUpioXXMZ/K LHhlOZHGs9jZLBzdoXtEZi1CAQptKbfOPQHbZvi8HkVu7XVXMEckZ5RJaNJ0urjT 7RH3bVD8rV5D+/cqD3Rr67ld6XrM+n2aCsq32vWxUsZUlmjckCPann2Y9kpLEWDQ sG42nf994WSV/h8D6A3U7Rnpw+jQUlmjALmw6AcBAQJtOrBt9OL5BMIEowAIBviY rvFL7GOQGYS1Wn53MVbQTuLjmJX2OEzgfvEdeUbzGNB60/0C13PvSPRqMfG2aLu8 npemlZRv3Lqkufih/pUsRkWUkZJZR7c+VSmFuGlJ+XD2q5LRUVxdOOV5ntdMoQw7 kNfCyPdeMwHoMIFr1xI+z4aZO8nVlyr92SmR1N4nvGSQ/tZjYaa9IoNYCc/13Jm9 aOl6zz8dqmREsImofb4BL4S77/bCaOKmQDuLaghgoOROKDZeeTQ3u1bxGhc9OFXT M3sSMdva9A8ehF2XRqfyw8s1+kx0v/TvOWoWLWwGl8fhJGETMJ/Y4+myxqvUAsf+ RxWhXI0wKaGNzFbtCZ2xrnUxpBJeiE1Agr8rd/+yVbkQBPajAEnisGqzMKPhRqPi E9fe8lgLB0xib5welCIV =3DS2+D -----END PGP SIGNATURE----- --=20 Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxg=8rTcXi%2B7tsdSLdBPuF9t9W3pHwC3RLpUhCtVeTQASEw>