Guido van Rossum [EMAIL PROTECTED] added the comment:
Looking into this now.
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
___
___
Python-bugs-list mailing
Guido van Rossum [EMAIL PROTECTED] added the comment:
Latest patches applied to 2.5 branch: r65878.
And to 2.6 trunk: r65880.
--
resolution: - accepted
status: open - closed
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
Changes by Antoine Pitrou [EMAIL PROTECTED]:
--
nosy: -pitrou
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
___
___
Python-bugs-list mailing list
Changes by Antoine Pitrou [EMAIL PROTECTED]:
--
nosy: +pitrou
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
___
___
Python-bugs-list mailing list
Guido van Rossum [EMAIL PROTECTED] added the comment:
The two segfaults reported in msg64682 are still there in 2.6.
I'm elevating this to release blocker but don't have time to fix this
myself.
--
assignee: gvanrossum -
priority: critical - release blocker
versions: +Python 2.6
Benjamin Peterson [EMAIL PROTECTED] added the comment:
Does anybody still care about this for 2.6?
--
nosy: +benjamin.peterson
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
___
Barry A. Warsaw [EMAIL PROTECTED] added the comment:
This is not a release blocker for 2.6 or 3.0.
--
nosy: +barry
priority: release blocker - critical
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
Ismail Donmez [EMAIL PROTECTED] added the comment:
This _must_ be a release blocker for Python 3.0, Its a shame that this
bug still is not fixed and a patch is available for months now.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
Guido van Rossum [EMAIL PROTECTED] added the comment:
imageop is deleted in 3.0. See PEP 3108. So it can't be a release
blocker. This also explains my general lack of interest in this module.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
Ismail Donmez [EMAIL PROTECTED] added the comment:
I am sorry for the drama then, :)
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list mailing list
David Remahl [EMAIL PROTECTED] added the comment:
Uploading patch that addresses the test cases above. It applies on top of
nevyn’s latest patch.
Added file: http://bugs.python.org/file9975/python-2.5-int-overflow-2.patch
__
Tracker [EMAIL PROTECTED]
Changes by jan matejek [EMAIL PROTECTED]:
--
nosy: +matejcik
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list mailing list
Unsubscribe:
Neal Norwitz [EMAIL PROTECTED] added the comment:
I think this was a module that I skipped. I think Anthony might have
had a patch, but if we have a fix, I'm not sure it matters. We need to
fix this for 2.5.3, upping the priority.
--
nosy: +anthonybaxter
priority: high - release
David Remahl [EMAIL PROTECTED] added the comment:
The following test cases still cause bus errors with the patch applied:
import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768)
--
nosy: +chmod007
Guido van Rossum [EMAIL PROTECTED] added the comment:
Sorry this missed the 2.5.2 release. I'll try to look again before
2.5.3 is imminent.
--
components: +Extension Modules -Library (Lib)
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
Guido van Rossum added the comment:
Sigh. I'll try to make time to review apply this.
--
assignee: - gvanrossum
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
James Antill added the comment:
I've applied the last patch I posted to recent RHEL and Fedora
releases, and it doesn't seem to break anything ... and from what I
could see it fixed the problem.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
Ismail Donmez added the comment:
Same here for Pardus Linux, applied the patch without a regression.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list
Jim Panetta added the comment:
Is this final yet? Our system security group is a little paranoid about
buffer overflows of any sort and are starting to make noises. I can
confirm that the Oct 20 patch applies against Python 2.5.1 on RHEL4, and
that the string length error is generated when
Guido van Rossum added the comment:
Neal, didn't you say you had a fix for this?
--
nosy: +nnorwitz
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Changes by Martin v. Löwis:
--
keywords: +patch
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list mailing list
Unsubscribe:
Changes by Sean Reifschneider:
--
priority: - high
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list mailing list
Unsubscribe:
Guido van Rossum added the comment:
Cartman, please refrain from using vulgarities in your sample code. It's
hard to take a bug report seriously with such variable names.
--
nosy: +gvanrossum
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
Sean Reifschneider added the comment:
Guido: That code came from the full-disclosure list posting, I think
cartman was just passing it on.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
James Antill added the comment:
So I think this is all the places integer overflow checking is needed
in imageop.c and rbgimgmodule.c.
There might be checks here which can't be exploited anyway, and I
haven't checked any other files yet.
Feel free to comment.
Ps. This is against the 2.5 in
Changes by James Antill:
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list mailing list
Unsubscribe:
Ismail Donmez added the comment:
Guido,
The poc is taken as is, sorry.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
___
Python-bugs-list mailing list
Unsubscribe:
Ismail Donmez added the comment:
nevyn: Your patch cleanly applies to python 2.4.4 and fixes the
interpreter crash with poc.py
Thanks.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1179
__
Guido van Rossum added the comment:
Hm. First of all, it seems the imageop module has completely missed the
Py_ssize_t changes.
Second, I don't think that if ( x != len / y ) is a valid replacement
for if ( x*y != len ) -- consider x==5, y==2, len==11.
--
priority: high -
James Antill added the comment:
Guido: It's true that that len can be slightly bigger than x*y, the big
thing is that it can't be smaller so we can malloc(len) and use upto x*y
(which was my main focus).
I first looked at any of this code today, but I didn't see any reason
that having len be
New submission from Ismail Donmez:
As reported at
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065826.html
. There is an integer overflow in imageop module which results in an
interpreter crash. Original proof of concept code is attached.
--
components: Library
Sean Reifschneider added the comment:
It's unclear if this only causes a crash or if it can inject data.
Referenced mailing list post points out where one error is.
--
nosy: +jafo
priority: - high
__
Tracker [EMAIL PROTECTED]
32 matches
Mail list logo
