Bug#504620: marked as done (python2.4: CVE-2008-4864 multiple integer overflows in imageop module)

[Debian Bug Tracking System]

Your message dated Sun, 23 Nov 2008 12:17:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504620: fixed in python2.4 2.4.5-6
has caused the Debian Bug report #504620,
regarding python2.4: CVE-2008-4864 multiple integer overflows in imageop module
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
504620: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504620
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: python2.4
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python2.4.

CVE-2008-4864[0]:
| Multiple integer overflows in imageop.c in the imageop module in
| Python 1.5.2 through 2.5.1 allow context-dependent attackers to break
| out of the Python VM and execute arbitrary code via large integer
| values in certain arguments to the crop function, leading to a buffer
| overflow, a different vulnerability than CVE-2007-4965 and
| CVE-2008-1679.

Upstream patch: 
http://svn.python.org/view/python/trunk/Modules/imageop.c?p2=%2Fpython%2Ftrunk%2FModules%2Fimageop.c&p1=python%2Ftrunk%2FModules%2Fimageop.c&r1=66689&r2=66688&rev=66689&view=diff&diff_format=u

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864
    http://security-tracker.debian.net/tracker/CVE-2008-4864

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

pgpM9l6nOUZwT.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: python2.4
Source-Version: 2.4.5-6

We believe that the bug you reported is fixed in the latest version of
python2.4, which is due to be installed in the Debian FTP archive:

idle-python2.4_2.4.5-6_all.deb
  to pool/main/p/python2.4/idle-python2.4_2.4.5-6_all.deb
python2.4-dbg_2.4.5-6_i386.deb
  to pool/main/p/python2.4/python2.4-dbg_2.4.5-6_i386.deb
python2.4-dev_2.4.5-6_i386.deb
  to pool/main/p/python2.4/python2.4-dev_2.4.5-6_i386.deb
python2.4-examples_2.4.5-6_all.deb
  to pool/main/p/python2.4/python2.4-examples_2.4.5-6_all.deb
python2.4-minimal_2.4.5-6_i386.deb
  to pool/main/p/python2.4/python2.4-minimal_2.4.5-6_i386.deb
python2.4_2.4.5-6.diff.gz
  to pool/main/p/python2.4/python2.4_2.4.5-6.diff.gz
python2.4_2.4.5-6.dsc
  to pool/main/p/python2.4/python2.4_2.4.5-6.dsc
python2.4_2.4.5-6_i386.deb
  to pool/main/p/python2.4/python2.4_2.4.5-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <[EMAIL PROTECTED]> (supplier of updated python2.4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Nov 2008 11:30:11 +0000
Source: python2.4
Binary: python2.4 python2.4-minimal python2.4-examples python2.4-dev 
idle-python2.4 python2.4-doc python2.4-dbg
Architecture: source all i386
Version: 2.4.5-6
Distribution: unstable
Urgency: low
Maintainer: Matthias Klose <[EMAIL PROTECTED]>
Changed-By: Matthias Klose <[EMAIL PROTECTED]>
Description: 
 idle-python2.4 - An IDE for Python (v2.4) using Tkinter
 python2.4  - An interactive high-level object-oriented language (version 2.4)
 python2.4-dbg - Debug Build of the Python Interpreter (version 2.4)
 python2.4-dev - Header files and a static library for Python (v2.4)
 python2.4-doc - Documentation for the high-level object-oriented language 
Python 
 python2.4-examples - Examples for the Python language (v2.4)
 python2.4-minimal - A minimal subset of the Python language (version 2.4)
Closes: 504620
Changes: 
 python2.4 (2.4.5-6) unstable; urgency=low
 .
   * Fix CVE-2008-4864, imageop did not validate arguments correctly
     and could segfault as a result. Closes: #504620.
Checksums-Sha1: 
 58166e6eac0633b613d7ed7492a866f3ae7b1791 1606 python2.4_2.4.5-6.dsc
 5e63e10c2008c3daea81b9da2a238512bfdb4e65 234885 python2.4_2.4.5-6.diff.gz
 110869205002d07823ad0eae15e473623445071e 593178 
python2.4-examples_2.4.5-6_all.deb
 feafc68d7e5752f75f5f52d3efad1485fb7552f3 63716 idle-python2.4_2.4.5-6_all.deb
 98ebab852ac5e05e6720674bf23e6c0ec0ad46bf 2843828 python2.4_2.4.5-6_i386.deb
 c29ac98f810edd702f5ced8635b812dbd00c57d3 998104 
python2.4-minimal_2.4.5-6_i386.deb
 c856036b923cf4d4dacf497a95ed222acbe5b220 1498552 python2.4-dev_2.4.5-6_i386.deb
 02061c37e29e1ad969ff8e3307c6832250a62d22 6470370 python2.4-dbg_2.4.5-6_i386.deb
Checksums-Sha256: 
 167de0902f98c3152b2b7a4cce848e39a4dcedfa2d8bf38b87c0f42589395d59 1606 
python2.4_2.4.5-6.dsc
 a87beb229de389b30186fe05c0e365ceead4bded394eea11ffb99142d3962cfc 234885 
python2.4_2.4.5-6.diff.gz
 59cda55f6945ab6fb8756df0e91561366d4897e12009701a000067690ec87317 593178 
python2.4-examples_2.4.5-6_all.deb
 a8ed39f6ff1856916ff839831d88c80b2bf313f3d5445c9c2d0e1de6d742d987 63716 
idle-python2.4_2.4.5-6_all.deb
 f05db69c7868546cfc5bb113b230c1879fd756f7fcb9200bdb7117b92198a479 2843828 
python2.4_2.4.5-6_i386.deb
 03d8d8f9c42231b6bb58b70f777a02f4398772b5a3a066ef3f1c090682998eee 998104 
python2.4-minimal_2.4.5-6_i386.deb
 95d715a8867c96ffca7041ebc0d1cdc214d2685516ecef1fbf0784694fc53a53 1498552 
python2.4-dev_2.4.5-6_i386.deb
 d960a4eb12041cb1a5277ed338d5343bdf28a50d68aa26753e68249cc00f5314 6470370 
python2.4-dbg_2.4.5-6_i386.deb
Files: 
 839affc16362472fb50526fb34083c69 1606 python optional python2.4_2.4.5-6.dsc
 62518832fe89364d29c7bb509eb45224 234885 python optional 
python2.4_2.4.5-6.diff.gz
 522f16e38c2a4b3b3e7ec0dcba2d62bb 593178 python optional 
python2.4-examples_2.4.5-6_all.deb
 278f18e48fb95b87d72fec584e2b0159 63716 python optional 
idle-python2.4_2.4.5-6_all.deb
 9718569b70bf82b27bc5c422d845a994 2843828 python optional 
python2.4_2.4.5-6_i386.deb
 f2c61c2966593ec8f77dfde11f2ad6dd 998104 python optional 
python2.4-minimal_2.4.5-6_i386.deb
 b8413a2492aa18ff7d6989ae4578b137 1498552 python optional 
python2.4-dev_2.4.5-6_i386.deb
 fe61e5172a0726f60842848f56852667 6470370 python extra 
python2.4-dbg_2.4.5-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkpQ4MACgkQStlRaw+TLJxtRACglohApoaDtQ7WkhxOHS+2rejy
enUAoJIchMmIGKuWl+nc6awR4iBhIoft
=F50P
-----END PGP SIGNATURE-----

--- End Message ---