Executive Summary
Summary | |
---|---|
Title | Updated python packages fix vulnerabilities |
Informations | |||
---|---|---|---|
Name | MDVSA-2008:012 | First vendor Publication | 2008-01-14 |
Vendor | Mandriva | Last vendor Modification | 2008-01-14 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
An integer overflow flaw was discovered in how python's pcre module handled certain regular expressions. If a python application using the pcre module were to compile and execute untrusted regular expressions, it could possibly lead to an application crash or the excution of arbitrary code with the privileges of the python interpreter (CVE-2006-7228). Multiple integer overflows were found in python's imageop module. If an application written in python used the imageop module to process untrusted images, it could cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the python interpreter (CVE-2007-4965). The updated packages have been patched to correct these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2008:012 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-190 | Integer Overflow or Wraparound (CWE/SANS Top 25) |
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10804 | |||
Oval ID: | oval:org.mitre.oval:def:10804 | ||
Title: | Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. | ||
Description: | Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4965 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10810 | |||
Oval ID: | oval:org.mitre.oval:def:10810 | ||
Title: | Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. | ||
Description: | Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-7228 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17622 | |||
Oval ID: | oval:org.mitre.oval:def:17622 | ||
Title: | USN-585-1 -- python2.4/2.5 vulnerabilities | ||
Description: | Piotr Engelking discovered that strxfrm in Python was not correctly calculating the size of the destination buffer. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-585-1 CVE-2007-2052 CVE-2007-4965 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | python2.4 python2.5 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8486 | |||
Oval ID: | oval:org.mitre.oval:def:8486 | ||
Title: | VMware python integer overflows vulnerability in the imageop module | ||
Description: | Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4965 | Version: | 4 |
Platform(s): | VMWare ESX Server 3 VMWare ESX Server 3.5 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8496 | |||
Oval ID: | oval:org.mitre.oval:def:8496 | ||
Title: | Multiple Buffer and Integer Overflow Vulnerabilities in Python (python(1)) May Lead to a Denial of Service (DoS) or Allow Execution of Arbitrary Code | ||
Description: | Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4965 | Version: | 1 |
Platform(s): | Sun Solaris 10 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for python CESA-2009:1176 centos5 i386 File : nvt/gb_CESA-2009_1176_python_centos5_i386.nasl |
2010-05-12 | Name : Mac OS X Security Update 2009-001 File : nvt/macosx_secupd_2009-001.nasl |
2010-05-12 | Name : Mac OS X Security Update 2007-009 File : nvt/macosx_secupd_2007-009.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-13 | Name : SLES10: Security update for Python File : nvt/sles10_python1.nasl |
2009-10-10 | Name : SLES9: Security update for Python File : nvt/sles9p5021835.nasl |
2009-10-10 | Name : SLES9: Security update for Python File : nvt/sles9p5015916.nasl |
2009-08-17 | Name : CentOS Security Advisory CESA-2009:1176 (python) File : nvt/ovcesa2009_1176.nasl |
2009-07-29 | Name : RedHat Security Advisory RHSA-2009:1176 File : nvt/RHSA_2009_1176.nasl |
2009-04-09 | Name : Mandriva Update for python MDVSA-2008:013 (python) File : nvt/gb_mandriva_MDVSA_2008_013.nasl |
2009-04-09 | Name : Mandriva Update for python MDVSA-2008:163 (python) File : nvt/gb_mandriva_MDVSA_2008_163.nasl |
2009-03-23 | Name : Ubuntu Update for python2.4/2.5 vulnerabilities USN-585-1 File : nvt/gb_ubuntu_USN_585_1.nasl |
2009-03-06 | Name : RedHat Update for pcre RHSA-2007:1059-01 File : nvt/gb_RHSA-2007_1059-01_pcre.nasl |
2009-03-06 | Name : RedHat Update for pcre RHSA-2007:1063-01 File : nvt/gb_RHSA-2007_1063-01_pcre.nasl |
2009-03-06 | Name : RedHat Update for pcre RHSA-2007:1065-01 File : nvt/gb_RHSA-2007_1065-01_pcre.nasl |
2009-03-06 | Name : RedHat Update for pcre RHSA-2007:1068-01 File : nvt/gb_RHSA-2007_1068-01_pcre.nasl |
2009-03-06 | Name : RedHat Update for python RHSA-2007:1076-02 File : nvt/gb_RHSA-2007_1076-02_python.nasl |
2009-03-06 | Name : RedHat Update for python RHSA-2007:1077-01 File : nvt/gb_RHSA-2007_1077-01_python.nasl |
2009-03-06 | Name : RedHat Update for php RHSA-2008:0546-01 File : nvt/gb_RHSA-2008_0546-01_php.nasl |
2009-02-27 | Name : CentOS Update for python-docs CESA-2007:1076 centos3 i386 File : nvt/gb_CESA-2007_1076_python-docs_centos3_i386.nasl |
2009-02-27 | Name : CentOS Update for pcre CESA-2007:1065-01 centos2 i386 File : nvt/gb_CESA-2007_1065-01_pcre_centos2_i386.nasl |
2009-02-27 | Name : CentOS Update for pcre CESA-2007:1063 centos3 x86_64 File : nvt/gb_CESA-2007_1063_pcre_centos3_x86_64.nasl |
2009-02-27 | Name : CentOS Update for php CESA-2008:0546-01 centos2 i386 File : nvt/gb_CESA-2008_0546-01_php_centos2_i386.nasl |
2009-02-27 | Name : CentOS Update for pcre CESA-2007:1063 centos3 i386 File : nvt/gb_CESA-2007_1063_pcre_centos3_i386.nasl |
2009-02-27 | Name : CentOS Update for python-docs CESA-2007:1076 centos3 x86_64 File : nvt/gb_CESA-2007_1076_python-docs_centos3_x86_64.nasl |
2009-02-27 | Name : CentOS Update for python CESA-2007:1077-01 centos2 i386 File : nvt/gb_CESA-2007_1077-01_python_centos2_i386.nasl |
2009-02-27 | Name : Fedora Update for python FEDORA-2007-2663 File : nvt/gb_fedora_2007_2663_python_fc7.nasl |
2009-02-13 | Name : Mandrake Security Advisory MDVSA-2009:036 (python) File : nvt/mdksa_2009_036.nasl |
2009-01-28 | Name : SuSE Update for pcre SUSE-SA:2007:062 File : nvt/gb_suse_2007_062.nasl |
2009-01-23 | Name : SuSE Update for php4, php5 SUSE-SA:2008:004 File : nvt/gb_suse_2008_004.nasl |
2009-01-13 | Name : Mandrake Security Advisory MDVSA-2009:003 (python) File : nvt/mdksa_2009_003.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200711-30 (libpcre) File : nvt/glsa_200711_30.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200805-11 (chicken) File : nvt/glsa_200805_11.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200802-10 (python) File : nvt/glsa_200802_10.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200801-19 (goffice) File : nvt/glsa_200801_19.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200801-18 (kazehakase) File : nvt/glsa_200801_18.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200801-02 (R) File : nvt/glsa_200801_02.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200711-07 (python) File : nvt/glsa_200711_07.nasl |
2008-08-15 | Name : Debian Security Advisory DSA 1620-1 (python2.5) File : nvt/deb_1620_1.nasl |
2008-05-12 | Name : Debian Security Advisory DSA 1570-1 (kazehakase) File : nvt/deb_1570_1.nasl |
2008-04-21 | Name : Debian Security Advisory DSA 1551-1 (python2.4) File : nvt/deb_1551_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
40754 | Perl-Compatible Regular Expression (PCRE) Crafted Regexp Parsing Overflow |
40142 | Python imageop Module tovideo() Function Overflow |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0016_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1176.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1076.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1068.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1063.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1059.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1068.nasl - Type : ACT_GATHER_INFO |
2013-03-06 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071129_pcre_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071109_pcre_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071210_python_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090727_python_for_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0264.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0525.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0629.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1176.nasl - Type : ACT_GATHER_INFO |
2009-11-23 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2009-0016.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12000.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12013.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12046.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12049.nasl - Type : ACT_GATHER_INFO |
2009-07-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1176.nasl - Type : ACT_GATHER_INFO |
2009-07-27 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2008-0003.nasl - Type : ACT_GATHER_INFO |
2009-07-27 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2008-0007.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1063.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-013.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-163.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-003.nasl - Type : ACT_GATHER_INFO |
2009-02-13 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2009-001.nasl - Type : ACT_GATHER_INFO |
2008-07-28 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1620.nasl - Type : ACT_GATHER_INFO |
2008-07-16 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0546.nasl - Type : ACT_GATHER_INFO |
2008-07-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200807-01.nasl - Type : ACT_GATHER_INFO |
2008-05-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1570.nasl - Type : ACT_GATHER_INFO |
2008-04-22 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1551.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-585-1.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200802-10.nasl - Type : ACT_GATHER_INFO |
2008-02-01 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_python-4902.nasl - Type : ACT_GATHER_INFO |
2008-02-01 | Name : The remote openSUSE host is missing a security update. File : suse_python-4900.nasl - Type : ACT_GATHER_INFO |
2008-01-08 | Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_php5-4810.nasl - Type : ACT_GATHER_INFO |
2007-12-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_apache2-mod_php5-4808.nasl - Type : ACT_GATHER_INFO |
2007-12-18 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-009.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1076.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1077.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1076.nasl - Type : ACT_GATHER_INFO |
2007-11-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1065.nasl - Type : ACT_GATHER_INFO |
2007-11-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1059.nasl - Type : ACT_GATHER_INFO |
2007-11-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1068.nasl - Type : ACT_GATHER_INFO |
2007-11-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1063.nasl - Type : ACT_GATHER_INFO |
2007-11-26 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200711-30.nasl - Type : ACT_GATHER_INFO |
2007-11-09 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-212.nasl - Type : ACT_GATHER_INFO |
2007-11-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200711-07.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2663.nasl - Type : ACT_GATHER_INFO |