ports/123153: Integer signedness bug in zlib module of lang/python23 and lang/python24
Nick Barkas
snb at threerings.net
Mon Apr 28 00:10:01 UTC 2008
>Number: 123153
>Category: ports
>Synopsis: Integer signedness bug in zlib module of lang/python23 and lang/python24
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 28 00:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: 7.0-RELEASE
>Organization:
Three Rings Design
>Environment:
FreeBSD maguro.moduli.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Python 2.3 and 2.4 suffer from the same integer signedness bug in the zlib module as was fixed recently in the port python25-2.5.2_2. See http://www.vuxml.org/freebsd/ec41c3e2-129c-11dd-bab7-0016179b2dd5.html
>How-To-Repeat:
Run either of the scipts python-2.5.2-zlib-unflush-misallocation.py or python-2.5.2-zlib-unflush-signedness.py attached to the bug reported at http://bugs.python.org/issue2586. Unpatched python 2.3 or 2.4 will crash, just as unpatched python 2.5 will.
>Fix:
Add the patch currently in lang/python25/files/patch-Modules-zlibmodule.c to lang/python24/files and lang/python23/files. It would also be good to update security/vuxml/vuln.xml to note that the vulnerability also affects python23 and python24 packages with version and port revision numbers before this patch is added.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list