[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum <[EMAIL PROTECTED]> added the comment: Latest patches applied to 2.5 branch: r65878. And to 2.6 trunk: r65880. -- resolution: -> accepted status: open -> closed ___ Python tracker <[EMAIL PROTECTED]>

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum <[EMAIL PROTECTED]> added the comment: Looking into this now. ___ Python tracker <[EMAIL PROTECTED]> ___ ___ Python-bugs-list ma

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Changes by Antoine Pitrou <[EMAIL PROTECTED]>: -- nosy: -pitrou ___ Python tracker <[EMAIL PROTECTED]> ___ ___ Python-bugs-list mailing

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Changes by Antoine Pitrou <[EMAIL PROTECTED]>: -- nosy: +pitrou ___ Python tracker <[EMAIL PROTECTED]> ___ ___ Python-bugs-list mailing

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum <[EMAIL PROTECTED]> added the comment: The two segfaults reported in msg64682 are still there in 2.6. I'm elevating this to release blocker but don't have time to fix this myself. -- assignee: gvanrossum -> priority: critical -> release blocker versions: +Python 2.6 __

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Benjamin Peterson <[EMAIL PROTECTED]> added the comment: Does anybody still care about this for 2.6? -- nosy: +benjamin.peterson ___ Python tracker <[EMAIL PROTECTED]> ___

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Ismail Donmez <[EMAIL PROTECTED]> added the comment: I am sorry for the drama then, :) __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing lis

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum <[EMAIL PROTECTED]> added the comment: imageop is deleted in 3.0. See PEP 3108. So it can't be a release blocker. This also explains my general lack of interest in this module. __ Tracker <[EMAIL PROTECTED]>

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Ismail Donmez <[EMAIL PROTECTED]> added the comment: This _must_ be a release blocker for Python 3.0, Its a shame that this bug still is not fixed and a patch is available for months now. __ Tracker <[EMAIL PROTECTED]> __

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Barry A. Warsaw <[EMAIL PROTECTED]> added the comment: This is not a release blocker for 2.6 or 3.0. -- nosy: +barry priority: release blocker -> critical __ Tracker <[EMAIL PROTECTED]> __

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

David Remahl <[EMAIL PROTECTED]> added the comment: Uploading patch that addresses the test cases above. It applies on top of nevyn’s latest patch. Added file: http://bugs.python.org/file9975/python-2.5-int-overflow-2.patch __ Tracker <[EMAIL PROTECTED]>

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Neal Norwitz <[EMAIL PROTECTED]> added the comment: I think this was a module that I skipped. I think Anthony might have had a patch, but if we have a fix, I'm not sure it matters. We need to fix this for 2.5.3, upping the priority. -- nosy: +anthonybaxter priority: high -> release blo

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Changes by jan matejek <[EMAIL PROTECTED]>: -- nosy: +matejcik __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe:

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

David Remahl <[EMAIL PROTECTED]> added the comment: The following test cases still cause bus errors with the patch applied: import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768) import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768) -- nosy: +chmod007 ___

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum <[EMAIL PROTECTED]> added the comment: Sorry this missed the 2.5.2 release. I'll try to look again before 2.5.3 is imminent. -- components: +Extension Modules -Library (Lib) __ Tracker <[EMAIL PROTECTED]>

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Ismail Donmez added the comment: Same here for Pardus Linux, applied the patch without a regression. __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-li

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

James Antill added the comment: I've applied the last patch I posted to recent RHEL and Fedora releases, and it doesn't seem to break anything ... and from what I could see it fixed the problem. __ Tracker <[EMAIL PROTECTED]> ___

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum added the comment: Sigh. I'll try to make time to review & apply this. -- assignee: -> gvanrossum __ Tracker <[EMAIL PROTECTED]> __ __

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Jim Panetta added the comment: Is this final yet? Our system security group is a little paranoid about buffer overflows of any sort and are starting to make noises. I can confirm that the Oct 20 patch applies against Python 2.5.1 on RHEL4, and that the string length error is generated when runn

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

James Antill added the comment: Not sure who Neal is, and this probably isn't a final upstream fix ... but it's what I've applied to Fedora's python. It's basically the same patch as before, but it keeps the original * tests instead of just replacing them with / tests. So given: if x * y != len

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum added the comment: Neal, didn't you say you had a fix for this? -- nosy: +nnorwitz __ Tracker <[EMAIL PROTECTED]> __ ___ Python

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Changes by Martin v. Löwis: -- keywords: +patch __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Changes by Sean Reifschneider: -- priority: -> high __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe: http://m

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

James Antill added the comment: Guido: It's true that that len can be slightly bigger than x*y, the big thing is that it can't be smaller so we can malloc(len) and use upto x*y (which was my main focus). I first looked at any of this code today, but I didn't see any reason that having len be sli

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum added the comment: Hm. First of all, it seems the imageop module has completely missed the Py_ssize_t changes. Second, I don't think that "if ( x != len / y )" is a valid replacement for "if ( x*y != len )" -- consider x==5, y==2, len==11. -- priority: high -> ___

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Ismail Donmez added the comment: nevyn: Your patch cleanly applies to python 2.4.4 and fixes the interpreter crash with poc.py Thanks. __ Tracker <[EMAIL PROTECTED]> __ ___

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

James Antill added the comment: And now the obvious typo fix, *sigh*. __ Tracker <[EMAIL PROTECTED]> __diff -rup Python-2.5-orig/Modules/imageop.c Python-2.5/Modules/imageop.c --- Python-2.5-orig/M

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Ismail Donmez added the comment: Guido, The poc is taken as is, sorry. __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe:

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Changes by James Antill: __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

James Antill added the comment: So I think this is all the places integer overflow checking is needed in imageop.c and rbgimgmodule.c. There might be checks here which can't be exploited anyway, and I haven't checked any other files yet. Feel free to comment. Ps. This is against the 2.5 in F

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Sean Reifschneider added the comment: Guido: That code came from the full-disclosure list posting, I think cartman was just passing it on. __ Tracker <[EMAIL PROTECTED]> __

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Guido van Rossum added the comment: Cartman, please refrain from using vulgarities in your sample code. It's hard to take a bug report seriously with such variable names. -- nosy: +gvanrossum __ Tracker <[EMAIL PROTECTED]>

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

Sean Reifschneider added the comment: It's unclear if this only causes a crash or if it can inject data. Referenced mailing list post points out where one error is. -- nosy: +jafo priority: -> high __ Tracker <[EMAIL PROTECTED]>

[issue1179] [CVE-2007-4965] Integer overflow in imageop module

New submission from Ismail Donmez: As reported at http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065826.html . There is an integer overflow in imageop module which results in an interpreter crash. Original proof of concept code is attached. -- components: Library (Lib)