Package: python2.4
Version: 2.4.4-2
Severity: important
Tags: security patch
In Modules/_localemodule.c, PyLocale_strxfrm() miscalculates the length of
the strxfrm() destination buffer, which causes the function to return a
wrong string, and to read past the destination buffer, which may (and does)
result in an information leak. The bug is also present in python2.5.
The attached patch fixes this problem.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=pl_PL.UTF8 (charmap=UTF-8)
Versions of packages python2.4 depends on:
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libdb4.4 4.4.20-8 Berkeley v4.4 Database Libraries [
ii libncursesw5 5.5-5 Shared libraries for terminal hand
ii libreadline5 5.2-2 GNU readline and history libraries
ii libssl0.9.8 0.9.8c-4 SSL shared libraries
ii mime-support 3.39-1 MIME files 'mime.types' & 'mailcap
ii python2.4-minimal 2.4.4-2 A minimal subset of the Python lan
python2.4 recommends no packages.
-- no debconf information
diff -ur python2.4-2.4.4-2/Modules/_localemodule.c python2.4/Modules/_localemodule.c
--- python2.4-2.4.4-2/Modules/_localemodule.c 2006-09-27 21:17:32.000000000 +0200
+++ python2.4/Modules/_localemodule.c 2007-03-31 16:39:42.000000000 +0200
@@ -357,7 +357,7 @@
buf = PyMem_Malloc(n1);
if (!buf)
return PyErr_NoMemory();
- n2 = strxfrm(buf, s, n1);
+ n2 = strxfrm(buf, s, n1) + 1;
if (n2 > n1) {
/* more space needed */
buf = PyMem_Realloc(buf, n2);
