最近CVEのコピー&ペーストが続いていますがこのブログに書いていた予想通りの展開なのでまたコピーです。
コアとはいえあまり重要ではない箇所の脆弱性ですが、Python 2.5.3にリモートコード実行の可能性がある脆弱性がレポートされています。
CVE-2008-1679
Overview
Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base score: 6.8 (Medium) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6Access Vector: Network exploitable , Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows unauthorized disclosure of information , Allows disruption of service
直したつもりが直っていないのはよくある事です。直したはずだったCVE-2007-4965は以下の通りです。
CVE-2007-4965
Overview
Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.
関連:
Python 2.5.2以下に任意コード実行の脆弱性
GoogleのPython採用と脆弱性情報の関係
Leave a Comment