CVE-2007-4965: rgbimg and imageop overflows

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo() method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

CVE-ID:

  • CVE-2007-4965
  • CVE-2009-4134
  • CVE-2010-1449
  • CVE-2010-1450

Reported again by Marc Schoenefeld in the Red Hat bugzilla at 2009-11-26.

  • Disclosure date: 2007-09-16 (full-disclosure email)
  • Reported by: Slythers Bro (on the full-disclosure mailing list)

Fixed In

Python issue

[CVE-2007-4965] Integer overflow in imageop module.

  • Python issue: issue #1179
  • Creation date: 2007-09-19
  • Reporter: Ismail Donmez

CVE-2007-4965

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

Timeline

Timeline using the disclosure date 2007-09-16 as reference:

  • 2007-09-16: Disclosure date (full-disclosure email)
  • 2007-09-18 (+2 days): CVE-2007-4965 published
  • 2007-09-19 (+3 days): Python issue #1179 reported by Ismail Donmez
  • 2008-08-19 (+338 days): commit 4df1b6d
  • 2008-08-19 (+338 days): commit 93ebfb1
  • 2008-10-01: Python 2.6.0 released
  • 2008-12-19 (+460 days): Python 2.5.3 released