http://bugs.python.org/issue8678

APPLE-SA-2010-11-10-1

SUSE-SR:2011:002

42888

43068

43364

http://support.apple.com/kb/HT4435

MDVSA-2010:215

RHSA-2011:0027

RHSA-2011:0260

40365

ADV-2011-0122

ADV-2011-0212

ADV-2011-0413

https://bugzilla.redhat.com/show_bug.cgi?id=541698

From Red Hat Security Advisory 2011:0260 :

Updated python packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Python is an interpreted, interactive, object-oriented programming language.

Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)

This update also fixes the following bugs :

* Python 2.3.4's time.strptime() function did not correctly handle the '%W' week number format string. This update backports the _strptime implementation from Python 2.3.6, fixing this issue. (BZ#436001)

* Python 2.3.4's socket.htons() function returned partially-uninitialized data on IBM System z, generally leading to incorrect results. (BZ#513341)

* Python 2.3.4's pwd.getpwuid() and grp.getgrgid() functions did not support the full range of user and group IDs on 64-bit architectures, leading to 'OverflowError' exceptions for large input values. This update adds support for the full range of user and group IDs on 64-bit architectures. (BZ#497540)

Users of Python should upgrade to these updated packages, which contain backported patches to correct these issues.

Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)

This update also fixes the following bugs :

  - Python 2.3.4's time.strptime() function did not     correctly handle the '%W' week number format string.
    This update backports the _strptime implementation from     Python 2.3.6, fixing this issue. (BZ#436001)

  - Python 2.3.4's socket.htons() function returned     partially-uninitialized data on IBM System z, generally     leading to incorrect results. (BZ#513341)

  - Python 2.3.4's pwd.getpwuid() and grp.getgrgid()     functions did not support the full range of user and     group IDs on 64-bit architectures, leading to     'OverflowError' exceptions for large input values. This     update adds support for the full range of user and group     IDs on 64-bit architectures. (BZ#497540)

It was found that many applications embedding the Python interpreter did not specify a valid full path to the script or application when calling the PySys_SetArgv API function, which could result in the addition of the current working directory to the module search path (sys.path). A local attacker able to trick a victim into running such an application in an attacker-controlled directory could use this flaw to execute code with the victim's privileges. This update adds the PySys_SetArgvEx API. Developers can modify their applications to use this new API, which sets sys.argv without modifying sys.path.
(CVE-2008-5983)

Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)

Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089)

This update also fixes the following bugs :

  - When starting a child process from the subprocess module     in Python 2.4, the parent process could leak file     descriptors if an error occurred. This update resolves     the issue. (BZ#609017)

  - Prior to Python 2.7, programs that used 'ulimit -n' to     enable communication with large numbers of subprocesses     could still monitor only 1024 file descriptors at a     time, which caused an exception :

    ValueError: filedescriptor out of range in select()

This was due to the subprocess module using the 'select' system call.
The module now uses the 'poll' system call, removing this limitation.
(BZ#609020)

  - Prior to Python 2.5, the tarfile module failed to unpack     tar files if the path was longer than 100 characters.
    This update backports the tarfile module from Python 2.5     and the issue no longer occurs. (BZ#263401)

  - The email module incorrectly implemented the logic for     obtaining attachment file names: the get_filename()     fallback for using the deprecated 'name' parameter of     the 'Content-Type' header erroneously used the     'Content-Disposition' header. This update backports a     fix from Python 2.6, which resolves this issue.
    (BZ#644147)

  - Prior to version 2.5, Python's optimized memory     allocator never released memory back to the system. The     memory usage of a long-running Python process would     resemble a 'high-water mark'. This update backports a     fix from Python 2.5a1, which frees unused arenas, and     adds a non-standard sys._debugmallocstats() function,     which prints diagnostic information to stderr. Finally,     when running under Valgrind, the optimized allocator is     deactivated, to allow more convenient debugging of     Python memory usage issues. (BZ#569093)

  - The urllib and urllib2 modules ignored the no_proxy     variable, which could lead to programs such as 'yum'     erroneously accessing a proxy server for URLs covered by     a 'no_proxy' exclusion. This update backports fixes of     urllib and urllib2, which respect the 'no_proxy'     variable, which fixes these issues. (BZ#549372)

As well, this update adds the following enhancements :

  - This update introduces a new python-libs package,     subsuming the majority of the content of the core python     package. This makes both 32-bit and 64-bit Python     libraries available on PowerPC systems. (BZ#625372)

  - The python-libs.i386 package is now available for 64-bit     Itanium with the 32-bit Itanium compatibility mode.
    (BZ#644761)

Updated python packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Python is an interpreted, interactive, object-oriented programming language.

Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)

This update also fixes the following bugs :

* Python 2.3.4's time.strptime() function did not correctly handle the '%W' week number format string. This update backports the _strptime implementation from Python 2.3.6, fixing this issue. (BZ#436001)

* Python 2.3.4's socket.htons() function returned partially-uninitialized data on IBM System z, generally leading to incorrect results. (BZ#513341)

* Python 2.3.4's pwd.getpwuid() and grp.getgrgid() functions did not support the full range of user and group IDs on 64-bit architectures, leading to 'OverflowError' exceptions for large input values. This update adds support for the full range of user and group IDs on 64-bit architectures. (BZ#497540)

Users of Python should upgrade to these updated packages, which contain backported patches to correct these issues.

With this update of Python :

  - a race condition in the accept() implementation of     smtpd.py could lead to a denial of service.
    (CVE-2010-3493)

  - integer overflows and insufficient size checks could     crash the audioop and rgbimg modules. (CVE-2010-2089 /     CVE-2010-1634 / CVE-2009-4134 / CVE-2010-1449 /     CVE-2010-1450)

Updated python packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Python is an interpreted, interactive, object-oriented programming language.

It was found that many applications embedding the Python interpreter did not specify a valid full path to the script or application when calling the PySys_SetArgv API function, which could result in the addition of the current working directory to the module search path (sys.path). A local attacker able to trick a victim into running such an application in an attacker-controlled directory could use this flaw to execute code with the victim's privileges. This update adds the PySys_SetArgvEx API. Developers can modify their applications to use this new API, which sets sys.argv without modifying sys.path.
(CVE-2008-5983)

Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)

Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089)

This update also fixes the following bugs :

* When starting a child process from the subprocess module in Python 2.4, the parent process could leak file descriptors if an error occurred. This update resolves the issue. (BZ#609017)

* Prior to Python 2.7, programs that used 'ulimit -n' to enable communication with large numbers of subprocesses could still monitor only 1024 file descriptors at a time, which caused an exception :

ValueError: filedescriptor out of range in select()

This was due to the subprocess module using the 'select' system call.
The module now uses the 'poll' system call, removing this limitation.
(BZ#609020)

* Prior to Python 2.5, the tarfile module failed to unpack tar files if the path was longer than 100 characters. This update backports the tarfile module from Python 2.5 and the issue no longer occurs.
(BZ#263401)

* The email module incorrectly implemented the logic for obtaining attachment file names: the get_filename() fallback for using the deprecated 'name' parameter of the 'Content-Type' header erroneously used the 'Content-Disposition' header. This update backports a fix from Python 2.6, which resolves this issue. (BZ#644147)

* Prior to version 2.5, Python's optimized memory allocator never released memory back to the system. The memory usage of a long-running Python process would resemble a 'high-water mark'. This update backports a fix from Python 2.5a1, which frees unused arenas, and adds a non-standard sys._debugmallocstats() function, which prints diagnostic information to stderr. Finally, when running under Valgrind, the optimized allocator is deactivated, to allow more convenient debugging of Python memory usage issues. (BZ#569093)

* The urllib and urllib2 modules ignored the no_proxy variable, which could lead to programs such as 'yum' erroneously accessing a proxy server for URLs covered by a 'no_proxy' exclusion. This update backports fixes of urllib and urllib2, which respect the 'no_proxy' variable, which fixes these issues. (BZ#549372)

As well, this update adds the following enhancements :

* This update introduces a new python-libs package, subsuming the majority of the content of the core python package. This makes both 32-bit and 64-bit Python libraries available on PowerPC systems.
(BZ#625372)

* The python-libs.i386 package is now available for 64-bit Itanium with the 32-bit Itanium compatibility mode. (BZ#644761)

All Python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

Versions of Mac OS X 10.6 earlier than 10.6.5 are potentially affected by multiple vulnerabilities.  Mac OS X 10.6.5 contains security fixes for the following products :

  - AFP Server

  - Apache mod_perl

  - Apache

  - AppKit

  - ATS

  - CFNetwork

  - CoreGraphics

  - CoreText

  - CUPS

  - Directory Services

  - diskdev_cmds

Disk Images

  - Flash Player plug-in

  - gzip

  - Image Capture

  - ImageIO

  - Image RAW

  - Kernel

  - MySQL

  - neon

  - Networking

  - OpenLDAP

  - OpenSSL

  - Password Server

  - PHP

  - Printing

  - python

  - QuickLook

  - QuickTime

  - Safari RSS

  - Time Machine

  - Wiki Server

  - X11

  - xar

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-007 applied. 

This security update contains fixes for the following products :

  - AFP Server
  - Apache mod_perl
  - ATS
  - CFNetwork
  - CoreGraphics
  - CoreText
  - CUPS
  - Directory Services
  - diskdev_cmds
  - Disk Images
  - Flash Player plug-in
  - gzip
  - ImageIO
  - Image RAW
  - MySQL
  - Password Server
  - PHP
  - Printing
  - python
  - QuickLook
  - Safari RSS
  - Wiki Server
  - X11

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5.

Mac OS X 10.6.5 contains security fixes for the following products :

  - AFP Server
  - Apache mod_perl
  - Apache
  - AppKit
  - ATS
  - CFNetwork
  - CoreGraphics
  - CoreText
  - CUPS
  - Directory Services
  - diskdev_cmds
  - Disk Images
  - Flash Player plug-in
  - gzip
  - Image Capture
  - ImageIO
  - Image RAW
  - Kernel
  - MySQL
  - neon
  - Networking
  - OpenLDAP
  - OpenSSL
  - Password Server
  - PHP
  - Printing
  - python
  - QuickLook
  - QuickTime
  - Safari RSS
  - Time Machine
  - Wiki Server
  - X11
  - xar

Multiple vulnerabilities was discovered and corrected in python :

Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference (CVE-2009-4134).

Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12 (CVE-2010-1449).

Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function (CVE-2010-1450).

The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections (CVE-2010-3492).

Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492 (CVE-2010-3493).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct these issues.

ID	Name	Product	Family	Severity
68201	Oracle Linux 4 : python (ELSA-2011-0260)	Nessus	Oracle Linux Local Security Checks	high
60960	Scientific Linux Security Update : python on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60935	Scientific Linux Security Update : python on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
52007	RHEL 4 : python (RHSA-2011:0260)	Nessus	Red Hat Local Security Checks	high
51642	SuSE 10 Security Update : Python (ZYPP Patch Number 7314)	Nessus	SuSE Local Security Checks	high
51524	RHEL 5 : python (RHSA-2011:0027)	Nessus	Red Hat Local Security Checks	high
800791	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5705	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
50549	Mac OS X Multiple Vulnerabilities (Security Update 2010-007)	Nessus	MacOS X Local Security Checks	high
50548	Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
50423	Mandriva Linux Security Advisory : python (MDVSA-2010:215)	Nessus	Mandriva Local Security Checks	high

CVE-2010-1450

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

critical

high

critical

high