[Stackless] Stackless to address multiple buffer overflow vulnerability?

Kristján Valur Jónsson kristjan at ccpgames.com
Sun Aug 17 16:31:59 CEST 2008


I think you are referring to this fix which went into the code on july the 22th:
http://svn.python.org/view?rev=65182&view=rev

This has been backported to 2.5, 3.0 and perhaps 2.4
K

> -----Original Message-----
> From: stackless-bounces at stackless.com [mailto:stackless-
> bounces at stackless.com] On Behalf Of David E. Sallis
> Sent: Friday, August 15, 2008 21:03
> To: stackless at stackless.com
> Subject: Re: [Stackless] Stackless to address multiple buffer overflow
> vulnerability?
>
> Guy Hulbert said the following on 8/15/2008 3:11 PM:
> > If you want the "Not Vulnerable" versions, I think you'd need to
> > build Stackless from the gentoo sources.
>
> That would be great if I were a Gentoo user, but I'm not.  And I build
> Stackless from source anyway.  Right now Stackless Python
> source code from stackless.com is unpatched, including Stackless 2.5.2.
>
>  > You did not reference this CVE although the link you posted does
> mention it (with 4 other ones).
>
> I apologize for not including each specific link to the CVEs
> encompassed by the SecurityFocus bulletin, because I assumed that a
> reader of my OP would be able to look them up to see WTF.  I certainly
> learned MY lesson.
>
>  > The only reference to a fix I could find was on the downloads page:
>  > http://www.python.org/download/
>  >    Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
>  >    releases below, only 2.4.4 and 2.5 and later include the fix.
>
> Right.  A two-year-old security release.  So you read this and brushed
> me off with "This is an old problem."
>
>  > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
>
> If you read the Mitre link carefully, you will notice in the
> 'References' section that several Linux vendors have patched or have
> begun patching their package-managed Python implementations, to include
> Gentoo, Ubuntu, Mandriva and others.  Great for them, but
> I'm a RedHat user, and, again, I build all of my Python interpreters
> from source.
>
> Can anyone else chime in?  For some reason I have developed a headache
> of inordinate size and scope.
>
> --
> David E. Sallis, Software Architect
> General Dynamics Information Technology
> NOAA Coastal Data Development Center
> Stennis Space Center, Mississippi
> 228.688.3805
> david.sallis at gdit.com
> david.sallis at noaa.gov
> --------------------------------------------
> "Better Living Through Software Engineering"
> --------------------------------------------
>
> _______________________________________________
> Stackless mailing list
> Stackless at stackless.com
> http://www.stackless.com/mailman/listinfo/stackless





More information about the Stackless mailing list