SB2015031809 - Gentoo update for Python

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015031809

SB2015031809 - Gentoo update for Python

Published: March 18, 2015 Updated: April 24, 2025

Security Bulletin ID SB2015031809
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2013-7338)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.


2) Buffer overflow (CVE-ID: CVE-2014-1912)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.


3) Race condition (CVE-ID: CVE-2014-2667)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.


4) Buffer overflow (CVE-ID: CVE-2014-4616)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.


5) Input validation error (CVE-ID: CVE-2014-7185)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.


6) Input validation error (CVE-ID: CVE-2014-9365)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. <a href="http://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate Validation</a>


Remediation

Install update from vendor's website.

References