BUGTRAQ ID: 30491 CVE ID:CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CNCVE ID:CNCVE-20082315 CNCVE-20082316 CNCVE-20083142 CNCVE-20083143 CNCVE-20083144 Python是一款开放源代码的脚本编程语言。 Python中存在多个整数溢出漏洞,远程攻击者可以利用漏洞对应用程序进行拒绝服务或者任意代码执行攻击。 1) stringobject、unicodeobject、bufferobject、longobject、tupleobject、stropmodule、gcmodule、mmapmodule等核心模块中存在各种整数溢出。 2) hashlib模块中的整数溢出可导致不可信的加密摘要结果。 3) 在处理unicode字符串时unicode_resize()中的整数溢出可能在32位系统上出现缓冲区溢出错误。以下是有漏洞的代码段: static int unicode_resize(register PyUnicodeObject *unicode, Py_ssize_t length) { [...] oldstr = unicode->str; PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1); [...] unicode->str[length] = 0; unicode->length = length; #define PyMem_RESIZE(p, type, n) \ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) 4) 在没有vsnprintf()函数的架构上,PyOS_vsnprintf()函数中存在整数溢出漏洞。以下是有漏洞的代码段: int PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) { int...
BUGTRAQ ID: 30491 CVE ID:CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CNCVE ID:CNCVE-20082315 CNCVE-20082316 CNCVE-20083142 CNCVE-20083143 CNCVE-20083144 Python是一款开放源代码的脚本编程语言。 Python中存在多个整数溢出漏洞,远程攻击者可以利用漏洞对应用程序进行拒绝服务或者任意代码执行攻击。 1) stringobject、unicodeobject、bufferobject、longobject、tupleobject、stropmodule、gcmodule、mmapmodule等核心模块中存在各种整数溢出。 2) hashlib模块中的整数溢出可导致不可信的加密摘要结果。 3) 在处理unicode字符串时unicode_resize()中的整数溢出可能在32位系统上出现缓冲区溢出错误。以下是有漏洞的代码段: static int unicode_resize(register PyUnicodeObject *unicode, Py_ssize_t length) { [...] oldstr = unicode->str; PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1); [...] unicode->str[length] = 0; unicode->length = length; #define PyMem_RESIZE(p, type, n) \ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) 4) 在没有vsnprintf()函数的架构上,PyOS_vsnprintf()函数中存在整数溢出漏洞。以下是有漏洞的代码段: int PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) { int len; /* # bytes written, excluding \0 */ [...] assert(str != NULL); assert(size > 0); assert(format != NULL); [...] /* Emulate it. */ buffer = PyMem_MALLOC(size + 512); if (buffer == NULL) { len = -666; goto Done; } len = vsprintf(buffer, format, va); if (len < 0) /* ignore the error */; else if ((size_t)len >= size + 512) Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); else { const size_t to_copy = (size_t)len < size ? (size_t)len : size - 1; assert(to_copy < size); memcpy(str, buffer, to_copy); str[to_copy] = '\0'; } PyMem_FREE(buffer); Done: [...] str[size-1] = '\0'; return len; } 5) 当0长度的字符串发送给PyOS_vsnprintf()函数,就可能触发整数溢出,导致内存破坏。以下是有漏洞的代码段: int PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) { int len; /* # bytes written, excluding \0 */ #ifndef HAVE_SNPRINTF char *buffer; #endif assert(str != NULL); assert(size > 0); assert(format != NULL); [...] len = vsnprintf(str, size, format, va); [...] str[size-1] = '\0'; return len; } Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 lpia Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 12.1 Slackware Linux 12.0 Slackware Linux 11.0 Slackware Linux -current Python Software Foundation Python 2.5.2 Python Software Foundation Python 2.5.1 Python Software Foundation Python 2.4.4 Python Software Foundation Python 2.4.3 + Trustix Secure Linux 3.0.5 Python Software Foundation Python 2.4.2 Python Software Foundation Python 2.4.1 Python Software Foundation Python 2.4 Python Software Foundation Python 2.3.6 Python Software Foundation Python 2.3.5 Python Software Foundation Python 2.3.4 + MandrakeSoft Linux Mandrake 10.1 x86_64 + MandrakeSoft Linux Mandrake 10.1 + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 Python Software Foundation Python 2.3.3 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + MandrakeSoft Linux Mandrake 10.0 AMD64 + MandrakeSoft Linux Mandrake 10.0 + MandrakeSoft Linux Mandrake 9.2 amd64 + MandrakeSoft Linux Mandrake 9.2 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 Python Software Foundation Python 2.3.2 Python Software Foundation Python 2.3.1 Python Software Foundation Python 2.3 b1 Python Software Foundation Python 2.3 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 Python Software Foundation Python 2.2.3 + RedHat Desktop 3.0 + RedHat Enterprise Linux AS 3 + RedHat Enterprise Linux ES 3 + RedHat Enterprise Linux WS 3 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 Python Software Foundation Python 2.2.2 + OpenPKG OpenPKG 1.2 + RedHat Linux 7.3 + S.u.S.E. Linux Personal 8.2 Python Software Foundation Python 2.2.1 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 + Gentoo Linux 1.4 _rc1 + Gentoo Linux 1.2 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + MandrakeSoft Linux Mandrake 9.0 + OpenPKG OpenPKG 1.1 + S.u.S.E. Linux 8.1 Python Software Foundation Python 2.2 + Conectiva Linux 8.0 + MandrakeSoft Linux Mandrake 8.2 ppc + MandrakeSoft Linux Mandrake 8.2 + MandrakeSoft Linux Mandrake 8.1 ia64 + MandrakeSoft Linux Mandrake 8.1 Python Software Foundation Python 2.1.3 + Debian Linux 3.0 Python Software Foundation Python 2.1.2 Python Software Foundation Python 2.1.1 + RedHat Linux 7.2 + Sun Linux 5.0.7 Python Software Foundation Python 2.1 + Conectiva Linux 7.0 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 amd64 + Debian Linux 3.1 alpha + Debian Linux 3.1 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 Python Software Foundation Python 2.0.1 Python Software Foundation Python 2.0 + MandrakeSoft Linux Mandrake 8.0 ppc + MandrakeSoft Linux Mandrake 8.0 Python Software Foundation Python 2.5 Gentoo Linux Gentoo ------ Gentoo可参考如下安全公告获得相应补丁: <a href=http://security.gentoo.org/glsa/glsa-200807-16.xml target=_blank>http://security.gentoo.org/glsa/glsa-200807-16.xml</a> Python 2.4用户应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14" Python 2.5用户应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6" Python已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://svn.python.org/view?rev=65335&view=rev target=_blank>http://svn.python.org/view?rev=65335&view=rev</a>
