Python imageop buffer overflow

python-imageop-bo (36653)

High Risk

Description:

Python is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the imageop module. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system, if the imageop module is enabled.

Platforms Affected:

• Apple, Mac OS X 10.4.11
• Apple, Mac OS X 10.5.1
• Apple, Mac OS X Server 10.4.11
• Apple, Mac OS X Server 10.5.1
• Canonical, Ubuntu 6.06 LTS
• Canonical, Ubuntu 6.10
• Canonical, Ubuntu 7.04
• Canonical, Ubuntu 7.10
• Debian, Debian Linux 4.0
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 2007
• MandrakeSoft, Mandrake Linux 2007 X86_64
• MandrakeSoft, Mandrake Linux 2007.1
• MandrakeSoft, Mandrake Linux 2007.1 X86_64
• MandrakeSoft, Mandrake Linux 2008.0 X86_64
• MandrakeSoft, Mandrake Linux 2008.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 4.0
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• Python Software Foundation, Python 2.5.1 and prior
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 4 AS
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 WS
• RedHat, Network Satellite Server 4.2
• RedHat, Network Satellite Server 5.0
• RedHat, Network Satellite Server 5.1

Remedy:

For Gentoo Linux (Python):
Refer to GLSA 200711-07 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

• Apple Web site, About Security Update 2007-009 v1.1 at http://docs.info.apple.com/article.html?artnum=307224.
• Apple Web site, About Security Update 2007-009 at http://docs.info.apple.com/article.html?artnum=307179.
• BugTraq Mailing List, Mon Dec 17 2007 - 15:47:29 CST, Apple OS X Software Update Remote Command Execution at http://archives.neohapsis.com/archives/bugtraq/2007-12/0217.html.
• Full-Disclosure Mailing List, Sat Sep 15 2007 - 18:53:32 CDT, python <= 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module at http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0280.html.
• Python Web site, Python Programming Language -- Official Website at http://www.python.org/.
• VMware Security-Announce Mailing List, Thu Feb 21 11:00:48 PST 2008, VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates at http://lists.vmware.com/pipermail/security-announce/2008/000005.html.
• BID-25696: Python ImageOP Module Multiple Integer Overflow Vulnerabilities
• CVE-2007-4965: Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.
• DSA-1551: python2.4 -- several vulnerabilities
• DSA-1620: python2.5 -- several vulnerabilities
• FrSIRT/ADV-2007-3201: Python imageop Module tovideo() Function Integer Overflow Vulnerability
• FrSIRT/ADV-2007-4238: Apple Mac OS X Code Execution and Information Disclosure Vulnerabilities
• FrSIRT/ADV-2008-0637: VMware Update Fixes Code Execution and Security Bypass Issues
• GLSA-200711-07: Python: User-assisted execution of arbitrary code
• MDVSA-2008:012: Updated python packages fix vulnerabilities
• MDVSA-2008:013: Updated python packages fix vulnerability in imageop module
• RHSA-2007-1076: Moderate: python security update
• RHSA-2008-0264: Moderate: Red Hat Network Satellite Server Solaris client security update
• RHSA-2008-0525: Moderate: Red Hat Network Satellite Server Solaris client security update
• RHSA-2008-0629: Moderate: Red Hat Network Satellite Server Solaris client security update
• SA26837: Python imageop "tovideo()" Integer Overflow Security Issue
• SA28136: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
• SUSE-SR:2008:003: SUSE Security Summary Report
• USN-585-1: Python vulnerabilities

Reported:

Sep 16, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page