|Python PyLocale_strxfrm函数远程信息泄露漏洞

Python PyLocale_strxfrm函数远程信息泄露漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

BUGTRAQ ID: 23887 CVE(CAN) ID: CVE-2007-2052 Python是一种开放源代码的脚本编程语言。 Python的Modules/_localemodule.c文件中的PyLocale_strxfrm函数中存在单字节溢出漏洞，允许攻击者读取部分内存内容。 Modules/_localemodule.c:361 356 n1 = strlen(s) + 1; 357 buf = PyMem_Malloc(n1); 358 if (!buf) 359 return PyErr_NoMemory(); 360 n2 = strxfrm(buf, s, n1); 如果所转换的字符串长于原始字符串的话： 361 if (n2 > n1) { 362 /* more space needed */ 在这里会分配n2字节： 363 buf = PyMem_Realloc(buf, n2); 364 if (!buf) 365 return PyErr_NoMemory(); 字符串会为n2字符长，终止的空字符不适合这个长度，因此字符串不会终止，在某些情况下可能导致信息泄露。 366 strxfrm(buf, s, n2); 367 } 368 result = PyString_FromString(buf); 369 PyMem_Free(buf); 370 return result; 371 } 372 373 #if defined(MS_WINDOWS) 374 static PyObject* 375 PyLocale_getdefaultlocale(PyObject* self) Python Software Foundation Python 2.5 Python Software Foundation Python 2.4 厂商补丁： Debian ------ Debian已经为此发布了一个安全公告（DSA-1551-1）以及相应补丁: DSA-1551-1：New python2.4 packages fix several vulnerabilities 链接：<a href=http://www.debian.org/security/2008/dsa-1551 target=_blank>http://www.debian.org/security/2008/dsa-1551</a> 补丁下载： Source archives: <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.diff.gz target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.diff.gz</a> Size/MD5 checksum: 195434 8b86b3dc4c5a86a9ad8682fee56f30ca <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz</a> Size/MD5 checksum: 9508940 f74ef9de91918f8927e75e8c3024263a <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.dsc target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.dsc</a> Size/MD5 checksum: 1201 585773fd24634e05bb56b8cc85215c65 Architecture independent packages: <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch1_all.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch1_all.deb</a> Size/MD5 checksum: 589642 63092c4cd1ea78c0993345be25a162b8 <a href=http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch1_all.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch1_all.deb</a> Size/MD5 checksum: 60864 21664a3f029087144046b6c175e88736 alpha architecture (DEC Alpha) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_alpha.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_alpha.deb</a> Size/MD5 checksum: 2968890 60a29f058a96e21d278a738fbb8067bf <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_alpha.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_alpha.deb</a> Size/MD5 checksum: 1848176 ddb7c47970f277baa00e6c080e4530bd <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_alpha.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_alpha.deb</a> Size/MD5 checksum: 5226532 5aa6daa859acdfdfcb7445586f4a0eb6 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_alpha.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_alpha.deb</a> Size/MD5 checksum: 963606 38c08ee31ae6189631e503ad3d76fa87 amd64 architecture (AMD x86_64 (AMD64)) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_amd64.deb</a> Size/MD5 checksum: 2967058 6f06a90e94a6068b126413111185aff5 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_amd64.deb</a> Size/MD5 checksum: 1635936 d5f98666609c652224b5552f5bb6b7a9 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_amd64.deb</a> Size/MD5 checksum: 966196 7436b29b52acd99872d79b595f489ace <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_amd64.deb</a> Size/MD5 checksum: 5587046 82444f4d11055f259d0899a0f8574b37 arm architecture (ARM) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_arm.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_arm.deb</a> Size/MD5 checksum: 2881272 408ac2b8cd6180975109364b26ae1c95 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_arm.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_arm.deb</a> Size/MD5 checksum: 901442 88d59caa6744da5c62a802124087d09c <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_arm.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_arm.deb</a> Size/MD5 checksum: 1500512 3113ad3590f5969703ce426a23ca67dd <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_arm.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_arm.deb</a> Size/MD5 checksum: 5351974 4f77de8e3dd9c12aa1e06a57cee82dac hppa architecture (HP PA RISC) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_hppa.deb</a> Size/MD5 checksum: 3073066 1b4498c26a825c27c6d9765ed8a2e33e <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_hppa.deb</a> Size/MD5 checksum: 5521834 68a5524fdb007cacc29a38865a43781d <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_hppa.deb</a> Size/MD5 checksum: 1798220 6c9ce4754c024fbd1674a63c5ba0f06a <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_hppa.deb</a> Size/MD5 checksum: 1017646 b8dd6490a43da08aa36c43712c360ff8 i386 architecture (Intel ia32) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_i386.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_i386.deb</a> Size/MD5 checksum: 2849512 2598cb802b7f5e1aac6404b801a0a7f0 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_i386.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_i386.deb</a> Size/MD5 checksum: 1508782 b8ffe50ecf5dfe173765dc5b263b7737 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_i386.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_i386.deb</a> Size/MD5 checksum: 5176966 f6892dc5e598f1811bfc32ea81a863d6 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_i386.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_i386.deb</a> Size/MD5 checksum: 900670 7956a1cf96b4b59de2d9e4972e04fff2 ia64 architecture (Intel ia64) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_ia64.deb</a> Size/MD5 checksum: 3371938 88e170459b0762e1db775753f6d69bb5 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_ia64.deb</a> Size/MD5 checksum: 2269496 2c1ef318f92b9d4b1c202ad77c8c4462 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_ia64.deb</a> Size/MD5 checksum: 1289496 d6fba2d2ea64736cf614b0b3b1ced9bf <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_ia64.deb</a> Size/MD5 checksum: 6059106 e1008e68d3d775590b2a29bd7bec7b6c mips architecture (MIPS (Big Endian)) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mips.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mips.deb</a> Size/MD5 checksum: 2906992 e6e43c336e1095e3fe7f5985e500bf55 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mips.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mips.deb</a> Size/MD5 checksum: 1725610 a9e2b6b11b1d9185885a9f99ed2d03b8 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mips.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mips.deb</a> Size/MD5 checksum: 5646190 5c420d1aa984c190b121c8494c6fca5a <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mips.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mips.deb</a> Size/MD5 checksum: 956712 4949e953435f72cf9d06bb8684170175 mipsel architecture (MIPS (Little Endian)) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mipsel.deb</a> Size/MD5 checksum: 1717120 30986065ecf6810f46294c8ca196b538 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mipsel.deb</a> Size/MD5 checksum: 939320 89571b10c2635774f65921083344a911 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mipsel.deb</a> Size/MD5 checksum: 5507492 a06d9728ef16072ee50b3a1fcf7d08a8 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mipsel.deb</a> Size/MD5 checksum: 2863620 90b6a4b2c498acb4a46e205d36cf8ec9 powerpc architecture (PowerPC) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_powerpc.deb</a> Size/MD5 checksum: 1639780 4b7c83795b6d07c3a4050d5db977c577 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_powerpc.deb</a> Size/MD5 checksum: 5778968 7e97b8f62daf0f91e48bf6af20552b51 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_powerpc.deb</a> Size/MD5 checksum: 2956174 8e55e492ee8aa6e4787e77b161a245e5 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_powerpc.deb</a> Size/MD5 checksum: 978078 9212e583942704f71a07478baa4d6446 s390 architecture (IBM S/390) <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_s390.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_s390.deb</a> Size/MD5 checksum: 973904 3cc580a21934a7f5fac203235386e250 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_s390.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_s390.deb</a> Size/MD5 checksum: 2976776 efb7a2dc81b69a45ead47986d3b8fce5 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_s390.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_s390.deb</a> Size/MD5 checksum: 1646932 146ee8341c514308b15ca151753b3ca8 <a href=http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_s390.deb target=_blank>http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_s390.deb</a> Size/MD5 checksum: 5667818 9b4543d9a0e5f51e8d9b790f6c3b43c8 补丁安装方法： 1. 手工安装补丁包：首先，使用下面的命令来下载补丁软件： # wget url (url是补丁下载链接地址) 然后，使用下面的命令来安装补丁： # dpkg -i file.deb (file是相应的补丁名) 2. 使用apt-get自动安装补丁包：首先，使用下面的命令更新内部数据库： # apt-get update 然后，使用下面的命令安装更新软件包： # apt-get upgrade RedHat ------ RedHat已经为此发布了一个安全公告（RHSA-2007:1077-01）以及相应补丁: RHSA-2007:1077-01：Moderate: python security update 链接：<a href=https://www.redhat.com/support/errata/RHSA-2007-1077.html target=_blank>https://www.redhat.com/support/errata/RHSA-2007-1077.html</a> Python Software Foundation -------------------------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://svn.python.org/view/python/branches/release25-maint/Modules/_localemodule.c?rev=54670&r1=51333&r2=54670 target=_blank>http://svn.python.org/view/python/branches/release25-maint/Modules/_localemodule.c?rev=54670&r1=51333&r2=54670</a>

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™