Bug 169235 - CAN-2005-0089 CAN-2005-2491 python multiple security issues
CAN-2005-0089 CAN-2005-2491 python multiple security issues
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: python2 (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, 2, rh73, rh90, NEEDSWORK
: Security
: 152897 (view as bug list)
Depends On:
Blocks: 152897
  Show dependency treegraph
 
Reported: 2005-09-25 16:55 EDT by Jim Popovitch
Modified: 2007-04-18 13:31 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-11 20:46:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jim Popovitch 2005-09-25 16:55:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
From CAN-2005-2491:

"Integer overflow in pcre_compile.c in Perl Compatible Regular
 Expressions (PCRE) before 6.2, as used in multiple products, allows
 attackers to execute arbitrary code via quantifier values in regular
 expressions, which leads to a heap-based buffer overflow."



Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:

Per David Eisenstein <deisenst@gtw.net>

    * pcre library (FL bug already opened: Bugzilla # 168516):
        Ref:  Bugzilla 166330 (RHEL) - CAN-2005-2491 PCRE heap overflow
	      <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166330>
        Ref:  RHSA-2005:761 - Moderate: pcre security update
              <http://rhn.redhat.com/errata/RHSA-2005-761.html>).
	Ref:  FEDORA-2005-802, Fedora Core 3 Update: pcre-4.5-3.1.1.fc3
	      Notification at <http://tinyurl.com/ajafx>
	Ref:  FEDORA-2005-803, Fedora Core 4 Update: pcre-5.0-4.1.fc4
	      Notification at <http://tinyurl.com/cv94u>

	Our affected Packages:
	RH7.3:     265407 Apr 17  2002 pcre-3.9-2.src.rpm
	RH9:       266725 Feb 24  2003 pcre-3.9-10.src.rpm
	FC1:       346767 Oct 28  2003 pcre-4.4-1.src.rpm
	FC2:       355225 May 06  2004 pcre-4.5-2.src.rpm

    * python
        Ref:  Bugzilla 166335 (RHEL) - CAN-2005-2491 PCRE heap overflow
        Ref:  Bugzilla 168318 (FC3) - CAN-2005-2491 PCRE heap overflow

       -- Looks like RH Security team is assessing Python's vulnera-
          bility to this.  Both Bugzilla items are still open.
       -- FL already has Python Bugzilla, # 152897, for another issue.
          Maybe we could fold this one in with it, if this is truly
	  a vulnerability.

	Our potentially affected packages:
	RH7.3 updates:     3296238 Feb 12  2003 python-1.5.2-43.73.src.rpm
	RH7.3 updates:     6954498 Feb 12  2003 python2-2.2.2-11.7.3.src.rpm
	RH9:               6968043 Feb 25  2003 python-2.2.2-26.src.rpm
	FC1:               7008684 Jan 06  2004 python-2.2.3-7.src.rpm
	FC2:               7503689 May 07  2004 python-2.3.3-6.src.rpm
Comment 1 Michal Jaegermann 2005-09-26 02:00:55 EDT
"Tiny urls" in the original report resolve respectively to
http://www.redhat.com/archives/fedora-announce-list/2005-August/msg00111.html
and
http://www.redhat.com/archives/fedora-announce-list/2005-August/msg00112.html
These are notifications about updates of PCRE packages and not Python ones.

Legacy bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152897
is another Python issue and at this moment it is still open.
Comment 2 Michal Jaegermann 2005-09-26 18:39:06 EDT
Contrary to what the title of this report says that bug affects not only
python2.2 (as clearly suggested in a text of the report itself).

Currently there are available sources packages for RH7.3:
ftp://ftp.harddata.com/pub/Legacy_packages/python-1.5.2-43.73.1.legacy.src.rpm
ftp://ftp.harddata.com/pub/Legacy_packages/python2-2.2.2-11.7.3.1.legacy.src.rpm
with patches for CAN-2005-2491.  The one for python2 also fixes CAN-2005-0089
(#152897) and other issues.

Patches for other packages from other distributions will be likely very
similar to that one used for in 'python2'.

At least 'neat' still works after updates from binaries produced with the
above and all the code there doing the real work is written in Python. :-)
Comment 3 David Eisenstein 2005-09-27 03:49:47 EDT
Have suggested in Bug #152897 that we also handle the CAN-2005-0089 issue here
so we can get both bugs fixed at the same time in the same Bug Report.  To that
end I have made bug #152897 depend on this one.
Comment 4 Jim Popovitch 2005-09-27 11:08:26 EDT
FYI: renamed from "python2.2 integer overflow"  to "CAN-2005-0089 CAN-2005-2491
python multiple security issues"
Comment 5 Pekka Savola 2005-09-28 02:51:58 EDT
*** Bug 152897 has been marked as a duplicate of this bug. ***
Comment 6 David Eisenstein 2006-02-05 21:33:06 EST
This bug also affects FC3.  From Bug #168318:

Comment #1 From David Eisenstein on 2006-02-05 06:27 EST
--------------------------------------------------------
"Reassigning to Fedora Legacy.  Still not sure if this affects us or 
not....  Josh, do you know what you all eventually did with this bug
for other distros?"

Comment #2 From Josh Bressers (Security Response Team) on 2006-02-05 08:21 EST
------------------------------------------------------------------------------
"This issue didn't affect FC4, but does affect RHEL.  We have an update
in progress.  Note the ability to exploit this issue is seriously mitigated
by how PCRE is used in a python script which processes unsanitized user
input."

Should we close #168318 as a DUP of this one so we can track FC3 here also?
Comment 7 David Eisenstein 2006-02-05 21:37:43 EST
Note that RHEL's bug report on the CVE-2005-2491 issue, Bug #166335, is
in process with a proposed patch.  From that bug:

Comment #7 From Mihai Ibanescu  on 2006-01-20 18:41 EST 	 
-------------------------------------------------------
Created an attachment (id=123511)
Proposed patch

Pending testing of patch / unit tests.
Comment 8 David Eisenstein 2007-04-11 20:46:25 EDT
Red Hat Linux and Fedora Core releases <=4 are now completely unmaintained.
These bugs can't be fixed in these versions.  If the issue still persists in
current Fedora Core releases, please reopen.  Thank you, and sorry about this.

Note You need to log in before you can comment on or make changes to this bug.