473,599 Members | 3,118 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SECURITY ADVISORY [PSF-2006-001] Buffer overrun in repr() for UCS-4encoded unicode strings

SECURITY ADVISORY [PSF-2006-001]
Buffer overrun in repr() for UCS-4 encoded unicode strings

http://www.python.org/news/security/PSF-2006-001/

Advisory ID: PSF-2006-001
Issue Date: October 12, 2006
Product: Python
Versions: 2.2, 2.3, 2.4 prior to 2.4.4, wide unicode (UCS-4) builds only
CVE Names: CAN-2006-4980

Python is an interpreted, interactive, object-oriented programming language.
It is often compared to Tcl, Perl, Scheme or Java.

The Python development team has discovered a flaw in the repr() implementation
of Unicode string objects which can lead to execution of arbitrary code due
to an overflow in a buffer allocated with insufficient size.

The flaw only manifests itself in Python builds configured to support UCS-4
Unicode strings (using the --enable-unicode=ucs4 configure flag). This is
still not the default, which is why the vulnerability should not be present
in most Python builds out there, especially not the builds for the Windows or
Mac OS X platform provided by www.python.org.

You can find out whether you are running a UCS-4 enabled build by looking at
the sys.maxunicode attribute: it is 65535 in a UCS-2 build and 1114111 in a
UCS-4 build.

More information can be found in this posting to the python-dev mailing list:
http://mail.python.org/pipermail/pyt...er/069260.html

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2006-4980 to this issue.

Python 2.4.4 will be released from www.python.org next week containing a fix
for this issue. A release candidate of 2.4.4 is already available containing
the fix. Python 2.5 also already contains the fix and is not vulnerable.

Patches for Python 2.2, 2.3 and 2.4 are also immediately available:

* http://python.org/files/news/securit.../patch-2.3.txt
(Python 2.2, 2.3)
* http://python.org/files/news/securit.../patch-2.4.txt
(Python 2.4)

Acknowledgement : thanks to Benjamin C. Wiley Sittler for discovering this
issue.

The official URL for this security advisory is
http://www.python.org/news/security/PSF-2006-001/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBFLe9wDt3 F8mpFyBYRAqjoAJ 9nautQiN193DgAR fx2nKWOPrKFXQCe Oafq
X3GlGx94ShTRjVw tO2tqpZI=
=g/BJ
-----END PGP SIGNATURE-----

Oct 12 '06 #1
0 1641

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
1798
PHP developers for Macromedia advisory board
by: Supernews | last post by:
I work for Macromedia and we are looking to form advisory groups to better understand the needs of developers and inform future product development. Those participating will have direct contact with us and other advisory board members and be provided with free Macromedia software. If you are interested in participating, please complete an application found at: http://www.surveymonkey.com/s.asp?u=49439324658. We are looking for developers...
PHP
38
3204
PHP blamed for security problems
by: Tim Tyler | last post by:
Here's what this morning's security advisory read here: ``In the last 3 months we have noticed an marked increase in the number of web-server attacks and successful compromise on our network. These are mostly PHP-script exploits and are giving hackers easy shell access to virtual servers, as mentioned in the PHP Security Advisory in the News section of the control centre. We really cannot do much about these network attacks other than to...
PHP
0
1065
Please Donate to the PSF
by: Stephan Deibel | last post by:
Hi, As the holiday season ends and a new year approaches, I would like to take this opportunity to thank everyone that donated to the Python Software Foundation (PSF) in the past. Everyone's support is greatly appreciated. We now have well over 400 donors, many of whom donate regularly: http://www.python.org/psf/donations.html
Python
0
1029
PSF donations update
by: Stephan Deibel | last post by:
Hi, Just wanted to follow up on my earlier message requesting donations to the Python Software Foundation. The PSF has now announced the projects we are funding in our first round of grants: http://www.python.org/psf/grants/
Python
0
950
Subscription donations to PSF
by: Alan McIntyre | last post by:
Hi all, I asked the PSF folks if they plan on offering a subscription donation option, and they do eventually, if there's enough interest. If you have any interest in donating a small amount (preferably >= US$5) to the PSF on a regular basis (monthly?), then please respond here in the newsgroup or otherwise communicate this interest to the PSF so they have a feel for how many people would take advantage of the donation option if they...
Python
0
1530
Security Center Advisory
by: PayPal | last post by:
<HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft DHTML Editing Control"> <TITLE></TITLE> </HEAD> <BODY> <STYLE type=text/css> ..dummy {} BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size: 12px;color: #000000;}
MySQL Database
2
4718
diff of advisory lock and mandatory locks
by: Bangalore | last post by:
Hi, Plz, clarify me , with the differences between advisory lock and mandatory locks. Thnanks in advance Bangalore.
C / C++
11
3553
MS Access, Oracle 9i, security, and pass-thru update queries
by: DFS | last post by:
Architecture: Access 2003 client, Oracle 9i repository, no Access security in place, ODBC linked tables. 100 or so users, in 3 or 4 groups (Oracle roles actually): Admins, Updaters and ReadOnly. Each group sees a different set of menu options when they open the client and login to Oracle. For the sake of speed I use pass-through queries here and there for updates and deletes. I update their SQL property in code and execute them.
Microsoft Access / VBA
28
2504
"FE Updater" and macro security
by: darren via AccessMonster.com | last post by:
Hi I've seen details on bypassing macro security with a bat file but has any one incorporated this with Tony Toews FE Updater? If so, I'd appreciate some guidance. As both open the database I'm not sure how/if this will work. Thanks
Microsoft Access / VBA
1
1233
Crunchy security advisory
by: =?iso-8859-1?B?QW5kcuk=?= | last post by:
A security hole has been uncovered in Crunchy (version 0.9.1.1 and earlier). Anyone using Crunchy to browse web tutorials should only visit sites that are trustworthy. We are working hard at fixing the hole; a new release addressing the problems that have been found should be forthcoming shortly.
Python
0
7992
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8400
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
8267
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
6725
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
5850
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5438
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
1
2414
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
1
1505
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
1250
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us