Debian DSA-1620-1 : python2.5 - several vulnerabilities

high Nessus Plugin ID 33740
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2007-2052 Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure.

- CVE-2007-4965 It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. This issue is also tracked as CVE-2008-1679 due to an initially incomplete patch.

- CVE-2008-1721 Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code.

- CVE-2008-1887 Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code.

Solution

Upgrade the python2.5 packages.

For the stable distribution (etch), these problems have been fixed in version 2.5-5+etch1.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-2052

https://security-tracker.debian.org/tracker/CVE-2007-4965

https://security-tracker.debian.org/tracker/CVE-2008-1679

https://security-tracker.debian.org/tracker/CVE-2008-1721

https://security-tracker.debian.org/tracker/CVE-2008-1887

https://www.debian.org/security/2008/dsa-1620

Plugin Details

Severity: High

ID: 33740

File Name: debian_DSA-1620.nasl

Version: 1.19

Type: local

Agent: unix

Published: 7/28/2008

Updated: 1/4/2021

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python2.5, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/27/2008

Reference Information

CVE: CVE-2007-2052, CVE-2007-4965, CVE-2008-1679, CVE-2008-1721, CVE-2008-1887

BID: 25696, 28715, 28749

DSA: 1620

CWE: 119, 189