Рекомендация Debian по безопасности

DSA-458-3 python2.2 -- переполнение буфера

Дата сообщения:

10.10.2004

Затронутые пакеты:

Уязвим:

Да

Ссылки на базы данных по безопасности:

В системе отслеживания ошибок Debian: Ошибка 248946, Ошибка 269548.
В базе данных Bugtraq (на SecurityFocus): Идентификатор BugTraq 9836.
В каталоге Mitre CVE: CVE-2004-0150.

Более подробная информация:

Это обновлённая версия рекомендации DSA 458-2, которая содержала ошибку в подпрограмме gethostbyaddr.

В первоначальной рекомендации говорилось:

Себастьян Шмидт (Sebastian Schmidt) обнаружил возможность переполнения буфера в функции getaddrinfo языка Python, что может позволить адресу IPv6, переданному удалённым нападающим посредством DNS, переписать содержимое стека памяти.

Ошибка присутствует только в python 2.2 и 2.2.1, и только если отключена поддержка IPv6. Пакет python2.2 в Debian woody отвечает этим условиям (пакет python — нет).

В стабильном дистрибутиве (woody) эта ошибка исправлена в версии 2.2.1-4.6.

Тестируемый и нестабильный дистрибутивы (sarge и sid) не содержат этой ошибки.

Мы рекомендуем вам обновить пакеты python2.2.

Исправлено в:

Debian GNU/Linux 3.0 (woody)

Исходный код:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6.dsc; http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6.diff.gz; http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz
Независимые от архитектуры компоненты:: http://security.debian.org/pool/updates/main/p/python2.2/idle-python2.2_2.2.1-4.6_all.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-doc_2.2.1-4.6_all.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-elisp_2.2.1-4.6_all.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-examples_2.2.1-4.6_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_alpha.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_alpha.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_alpha.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_alpha.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_alpha.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_arm.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_arm.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_arm.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_arm.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_arm.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_i386.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_i386.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_i386.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_i386.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_i386.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_ia64.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_ia64.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_ia64.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_ia64.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_ia64.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_hppa.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_hppa.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_hppa.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_hppa.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_hppa.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_m68k.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_m68k.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_m68k.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_m68k.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_m68k.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_mips.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_mips.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_mips.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_mips.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_mips.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_s390.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_s390.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_s390.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_s390.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_s390.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_sparc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_sparc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_sparc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_sparc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_sparc.deb; http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_sparc.deb

Контрольные суммы MD5 этих файлов доступны в исходном сообщении.

Контрольные суммы MD5 этих файлов доступны в пересмотренном сообщении.