[Stackless] Stackless to address multiple buffer overflow vulnerability?

David E. Sallis David.Sallis at noaa.gov
Fri Aug 15 23:02:57 CEST 2008


Guy Hulbert said the following on 8/15/2008 3:11 PM:
> If you want the "Not Vulnerable" versions, I think you'd need to
> build Stackless from the gentoo sources. 

That would be great if I were a Gentoo user, but I'm not.  And I build Stackless from source anyway.  Right now Stackless Python 
source code from stackless.com is unpatched, including Stackless 2.5.2.

 > You did not reference this CVE although the link you posted does mention it (with 4 other ones).

I apologize for not including each specific link to the CVEs encompassed by the SecurityFocus bulletin, because I assumed that a 
reader of my OP would be able to look them up to see WTF.  I certainly learned MY lesson.

 > The only reference to a fix I could find was on the downloads page:
 > http://www.python.org/download/
 >    Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
 >    releases below, only 2.4.4 and 2.5 and later include the fix.

Right.  A two-year-old security release.  So you read this and brushed me off with "This is an old problem."

 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315

If you read the Mitre link carefully, you will notice in the 'References' section that several Linux vendors have patched or have 
begun patching their package-managed Python implementations, to include Gentoo, Ubuntu, Mandriva and others.  Great for them, but 
I'm a RedHat user, and, again, I build all of my Python interpreters from source.

Can anyone else chime in?  For some reason I have developed a headache of inordinate size and scope.

-- 
David E. Sallis, Software Architect
General Dynamics Information Technology
NOAA Coastal Data Development Center
Stennis Space Center, Mississippi
228.688.3805
david.sallis at gdit.com
david.sallis at noaa.gov
--------------------------------------------
"Better Living Through Software Engineering"
--------------------------------------------




More information about the Stackless mailing list