[Stackless] Stackless to address multiple buffer overflow vulnerability?
Kristján Valur Jónsson
kristjan at ccpgames.com
Sun Aug 17 16:31:59 CEST 2008
I think you are referring to this fix which went into the code on july the 22th:
This has been backported to 2.5, 3.0 and perhaps 2.4
> -----Original Message-----
> From: stackless-bounces at stackless.com [mailto:stackless-
> bounces at stackless.com] On Behalf Of David E. Sallis
> Sent: Friday, August 15, 2008 21:03
> To: stackless at stackless.com
> Subject: Re: [Stackless] Stackless to address multiple buffer overflow
> Guy Hulbert said the following on 8/15/2008 3:11 PM:
> > If you want the "Not Vulnerable" versions, I think you'd need to
> > build Stackless from the gentoo sources.
> That would be great if I were a Gentoo user, but I'm not. And I build
> Stackless from source anyway. Right now Stackless Python
> source code from stackless.com is unpatched, including Stackless 2.5.2.
> > You did not reference this CVE although the link you posted does
> mention it (with 4 other ones).
> I apologize for not including each specific link to the CVEs
> encompassed by the SecurityFocus bulletin, because I assumed that a
> reader of my OP would be able to look them up to see WTF. I certainly
> learned MY lesson.
> > The only reference to a fix I could find was on the downloads page:
> > http://www.python.org/download/
> > Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
> > releases below, only 2.4.4 and 2.5 and later include the fix.
> Right. A two-year-old security release. So you read this and brushed
> me off with "This is an old problem."
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
> If you read the Mitre link carefully, you will notice in the
> 'References' section that several Linux vendors have patched or have
> begun patching their package-managed Python implementations, to include
> Gentoo, Ubuntu, Mandriva and others. Great for them, but
> I'm a RedHat user, and, again, I build all of my Python interpreters
> from source.
> Can anyone else chime in? For some reason I have developed a headache
> of inordinate size and scope.
> David E. Sallis, Software Architect
> General Dynamics Information Technology
> NOAA Coastal Data Development Center
> Stennis Space Center, Mississippi
> david.sallis at gdit.com
> david.sallis at noaa.gov
> "Better Living Through Software Engineering"
> Stackless mailing list
> Stackless at stackless.com
More information about the Stackless