[Stackless] Stackless to address multiple buffer overflow vulnerability?

David E. Sallis David.Sallis at noaa.gov
Fri Aug 15 23:02:57 CEST 2008

Guy Hulbert said the following on 8/15/2008 3:11 PM:
> If you want the "Not Vulnerable" versions, I think you'd need to
> build Stackless from the gentoo sources. 

That would be great if I were a Gentoo user, but I'm not.  And I build Stackless from source anyway.  Right now Stackless Python 
source code from stackless.com is unpatched, including Stackless 2.5.2.

 > You did not reference this CVE although the link you posted does mention it (with 4 other ones).

I apologize for not including each specific link to the CVEs encompassed by the SecurityFocus bulletin, because I assumed that a 
reader of my OP would be able to look them up to see WTF.  I certainly learned MY lesson.

 > The only reference to a fix I could find was on the downloads page:
 > http://www.python.org/download/
 >    Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
 >    releases below, only 2.4.4 and 2.5 and later include the fix.

Right.  A two-year-old security release.  So you read this and brushed me off with "This is an old problem."

 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315

If you read the Mitre link carefully, you will notice in the 'References' section that several Linux vendors have patched or have 
begun patching their package-managed Python implementations, to include Gentoo, Ubuntu, Mandriva and others.  Great for them, but 
I'm a RedHat user, and, again, I build all of my Python interpreters from source.

Can anyone else chime in?  For some reason I have developed a headache of inordinate size and scope.

David E. Sallis, Software Architect
General Dynamics Information Technology
NOAA Coastal Data Development Center
Stennis Space Center, Mississippi
david.sallis at gdit.com
david.sallis at noaa.gov
"Better Living Through Software Engineering"

More information about the Stackless mailing list