CVE-2010-1634: Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service…

CVE-2008-5983 [MEDIUM] Python 3.1 vulnerabilities Title: Python 3.1 vulnerabilities Summary: Several security issues were fixed in Python 3.1. It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. This issue only affected Ubuntu 10.04 LTS. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automatated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. These issues only affected Ubuntu 10.04 LTS. (CVE-2010-1634, CVE-2010-2089) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker co

CVE-2008-5983 [MEDIUM] Python 2.5 vulnerabilities Title: Python 2.5 vulnerabilities Summary: Several security issues were fixed in Python 2.5. It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automatated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTT

CVE-2010-2089 [MEDIUM] Python 2.4 vulnerabilities Title: Python 2.4 vulnerabilities Summary: Several security issues were fixed in Python 2.4. USN-1613-1 fixed vulnerabilities in Python 2.5. This update provides the corresponding updates for Python 2.4. Original advisory details: It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automatated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd mod

CVE-2008-5983 [MEDIUM] Python 2.6 vulnerabilities Title: Python 2.6 vulnerabilities Summary: Several security issues were fixed in Python 2.6. It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automatated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTT

CVE-2010-1634 [HIGH] CWE-190 python: audioop: incorrect integer overflow checks python: audioop: incorrect integer overflow checks Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. Package: python (Red Hat Enterprise Linux Extended Update Support 6.0) - Affected

CVE-2010-2089 [MEDIUM] Python: Memory corruption in audioop module Python: Memory corruption in audioop module The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. Package: python (Red Hat Enterprise Linux Extended Update Support 6.0) - Affected

CVE-2010-2089 [MEDIUM] CVE-2010-2089: python2.7 - The audioop module in Python 2.7 and 3.2 does not verify the relationships betwe... The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. Scope: local bullseye: resolved (fixed in 2.7-1)

CVE-2010-1634 [HIGH] CVE-2010-1634: python2.7 - Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7... Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. Scope: local bullseye: resolved (fixed in 2.7-1)

CVE-2010-1634 [HIGH] CWE-190 GHSA-gr62-2592-229q: Multiple integer overflows in audioop Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.

CVE-2010-2089 [MEDIUM] CWE-119 GHSA-8428-fhph-pvrc: The audioop module in Python 2 The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.

CVE-2010-1634 [HIGH] CVE-2010-1634: Multiple integer overflows in audioop Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.

CVE-2010-2089 [MEDIUM] CVE-2010-2089: The audioop module in Python 2 The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.

CVE-2010-2089 [MEDIUM] CVE-2010-2089 Python: Memory corruption in audioop module CVE-2010-2089 Python: Memory corruption in audioop module Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2089 to the following vulnerability: The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. References: [1] http://bugs.python.org/issue7673 Public PoC (from [1]): $ python -c "import audioop; audioop.reverse('X', 2)" Fatal Python error: Inconsistent interned string state. Abandon Discussion: Created attachment 418359 audioop_check_length.patch by

CVE-2010-1634 [HIGH] CVE-2010-1634 python: audioop: incorrect integer overflow checks CVE-2010-1634 python: audioop: incorrect integer overflow checks Python SVN commit r64114 added integer overflow checks to multiple python module: http://svn.python.org/view?view=rev&revision=64114 All the issue got covered under single CVE - CVE-2008-3143. Checks added to audioop (and rgbimg, see bug #541698) were incorrect and possible to bypass: http://bugs.python.org/issue8674 Discussion: Created attachment 412843 Proposed patch (python 2.6) --- Created attachment 412844 Proposed patch (python 2.4) --- Assigning CVE-2010-1634 here and setting priority to low. As noted in the upstream bug, ulaw2lin, alaw2lin and adpcm2lin integer overflows do not lead to buffer overflows. lin2lin integer overflow can result in buffer overflow - audioop.lin2lin("A"*0x40000001, 1, 4). ratecv r