A security flaw was found in the way the UTF-16 decoder of Python, an interpreted, interactive, object-oriented programming language, handled error messages after processing of certain UTF-16 strings. If a Python UTF-16 module based application provided remote means to accept unsanitized input, a remote attacker could use this flaw to cause denial of service (python executable to leak data, cause memory damage and possibly crash). Upstream ticket: [1] http://bugs.python.org/issue14579 CVE assignment: [2] http://www.openwall.com/lists/oss-security/2012/04/25/3 Preliminary patches against the v3.2 version: [3] http://bugs.python.org/file25294/utf16_error_handling-3.2.patch [4] http://bugs.python.org/file25295/utf16_update_after_error-3.2.patch [5] http://bugs.python.org/file25352/utf16_error_handling-3.2_3.patch Reproducer: [6] http://bugs.python.org/file25276/utf16crasher.py
This issue affects the versions of the python3 package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created python3 tracking bugs for this issue Affects: fedora-all [bug 816156]