oss-sec mailing list archives

CVE issues with recent python flaws

From: Vincent Danen <vdanen () redhat com>
Date: Mon, 23 Dec 2013 16:41:52 -0700

So I've been detangling some python issues that we were alerted to around this time last year, along with some other 
vendors.

The work, and CVEs that were assigned (not sure by whom), are all public and since there are some issues that probably 
warrant a few more CVEs, I'm bringing this up on the list here (and also because no real announcements ever came out of 
the python camp regarding these).

It's all noted in our bug (https://bugzilla.redhat.com/show_bug.cgi?id=1046174):

* httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4])
* ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8])
* imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11])
* nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15])
* poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18])
* smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x)

[1] http://bugs.python.org/issue16037
[2] http://hg.python.org/cpython/rev/8a22a2804a66/
[3] http://hg.python.org/cpython/rev/582e5072ff89
[4] http://hg.python.org/cpython/rev/e445d02e5306/
[5] http://bugs.python.org/issue16038
[6] http://hg.python.org/cpython/rev/44ac81e6d584/
[7] http://hg.python.org/cpython/rev/8b19e7d0be45/
[8] http://hg.python.org/cpython/rev/38db4d0726bd/
[9] http://bugs.python.org/issue16039
[10] http://hg.python.org/cpython/rev/4190568ceda0/
[11] http://hg.python.org/cpython/rev/4b0364fc5711/
[12] http://bugs.python.org/issue16040
[13] http://hg.python.org/cpython/rev/36680a7c0e22/
[14] http://hg.python.org/cpython/rev/731abf7834c4/
[15] http://hg.python.org/cpython/rev/fc88bd80d925/
[16] http://bugs.python.org/issue16041
[17] http://hg.python.org/cpython/rev/7214e3324a45/
[18] http://hg.python.org/cpython/rev/68029048c9c6/
[19] http://bugs.python.org/issue16042
[20] http://hg.python.org/cpython/rev/8a6def3add5b/


One CVE (CVE-2013-1752) as assigned to all of these, which would have been perfectly reasonable if they had _all_ been 
fixed simultaneously (or at least in the same version).

My post here is two-fold: a) to let other vendors know about these issues so they can update/patch their own packages, 
and b) to see if MITRE wants to do anything with regards to the CVE assignments for these issues as it seems like we 
might need 3-4 CVEs here as only nntplib and ftplib carry the same fixed-in-versions across the board.

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

CVE issues with recent python flaws Vincent Danen (Dec 23)
- Re: CVE issues with recent python flaws Kurt Seifried (Dec 26)
- Re: CVE issues with recent python flaws cve-assign (Dec 27)