[Stackless] Stackless to address multiple buffer overflow vulnerability?

Guy Hulbert gwhulbert at eol.ca
Fri Aug 15 18:36:07 CEST 2008


This is an old problem.
http://www.python.org/files/news/security/PSF-2006-001/PSF-2006-001.txt

        The flaw only manifests itself in Python builds configured to support
        UCS-4 Unicode strings (using the --enable-unicode=ucs4 configure flag).
        This is still not the default, which is why the vulnerability should not
        be present in most Python builds out there, especially not the builds for
        the Windows or Mac OS X platform provided by www.python.org.
        
        You can find out whether you are running a UCS-4 enabled build by looking
        at the sys.maxunicode attribute: it is 65535 in a UCS-2 build and 1114111
        in a UCS-4 build.

On Fri, 2008-15-08 at 09:51 -0500, David E. Sallis wrote:
> Recently a multiple buffer overflow vulnerability advisory was posted for all versions of Python except 2.5.2-r6 and 2.4.4-r14 (see 
> http://www.securityfocus.com/bid/30491).
> 
> Is Stackless being patched to address these vulnerabilities?  I'm currently using Stackless 2.4.3 but could probably upgrade to 
> 2.5.2.  Which give rise to another question:  is Stackless 2.5.2 vulnerable?
> 
> Many thanks.

-- 
--gh






More information about the Stackless mailing list