Description of problem: Justin Ferguson has reported the following python issue: The unicode_resize() function acts essentially as a wrapper to realloc(), it accomplishes this via the PyMem_RESIZE() macro which factors the size with the size of the type, in this case it multiplies by two as Py_UNICODE is typedef'd to a wchar_t. When resizing large strings, this results in an incorrect allocation that in turn leads to buffer overflow. Public mention of this issue: http://bugs.python.org/issue2620 Proposed upstream patch: http://bugs.python.org/file10825/issue2620-gps02-patch.txt
Links to reproducers: http://bugs.python.org/file10011/python-2.5.2-unicode_resize-utf7.py http://bugs.python.org/file10012/python-2.5.2-unicode_resize-utf8.py http://bugs.python.org/file10013/python-2.5.2-unicode_resize-utf16.py
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1176 https://rhn.redhat.com/errata/RHSA-2009-1176.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1177 https://rhn.redhat.com/errata/RHSA-2009-1177.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1178 https://rhn.redhat.com/errata/RHSA-2009-1178.html