Bug 443810 (CVE-2008-1887)

Summary: CVE-2008-1887 python: PyString_FromStringAndSize does not check for negative size values
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: james.antill, jlieskov, ohudlick
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1887
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:06:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 486106, 486114, 486329, 486330, 486351, 486352, 537915    
Bug Blocks:    

Description Tomas Hoger 2008-04-23 14:09:58 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1887 to the following vulnerability:

Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.

Refences:
http://bugs.python.org/issue2587
http://www.securityfocus.com/archive/1/490776
http://www.debian.org/security/2008/dsa-1551
Comment 1 Tomas Hoger 2008-04-23 14:58:19 UTC 
Upstream SVN commits:

http://svn.python.org/view?rev=62262&view=rev
http://svn.python.org/view?rev=62261&view=rev
Comment 2 Tomas Hoger 2008-04-23 15:16:06 UTC 
This really is a cause of CVE-2008-1721 tracked via bug bug #442005.  Upstream
bug reports suggest that this may cause problems in other modules as well (PySSL
also mentioned).

This underlying issue seems to exist in all Python versions we ship in Red Hat
Enterprise Linux 2.1, 3, 4, and 5 and Fedora.  On Fedora 7 and later,
interpreter is aborted when assertion on size being >= 0 is hit.
Comment 18 errata-xmlrpc 2009-07-27 09:22:53 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1176 https://rhn.redhat.com/errata/RHSA-2009-1176.html
Comment 19 errata-xmlrpc 2009-07-27 09:35:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1177 https://rhn.redhat.com/errata/RHSA-2009-1177.html
Comment 20 errata-xmlrpc 2009-07-27 09:37:18 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1178 https://rhn.redhat.com/errata/RHSA-2009-1178.html