.. _rgbimg-imageop-overflows: rgbimg and imageop overflows ============================ .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. Multiple integer overflows in the ``imageop`` module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the ``tovideo()`` method, and unspecified other vectors related to (2) ``imageop.c``, (3) ``rbgimgmodule.c``, and other files, which trigger heap-based buffer overflows. Reported again by Marc Schoenefeld in the Red Hat bugzilla at 2009-11-26. Dates: * Disclosure date: **2007-09-16** (full-disclosure email) * Reported by: Slythers Bro (on the full-disclosure mailing list) Fixed In -------- * Python **2.5.3** (2008-12-19) fixed by `commit 4df1b6d (branch 2.5) `_ (2008-08-19) * Python **2.6.0** (2008-10-01) fixed by `commit 93ebfb1 (branch 2.6) `_ (2008-08-19) Python issue ------------ [CVE-2007-4965] Integer overflow in imageop module. * Python issue: `bpo-1179 `_ * Creation date: 2007-09-19 * Reporter: Ismail Donmez CVE-2007-4965 ------------- Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. * CVE ID: `CVE-2007-4965 `_ * Published: 2007-09-18 * `CVSS Score `_: 5.8 CVE-2009-4134 ------------- Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference. * CVE ID: `CVE-2009-4134 `_ * Published: 2010-05-27 * `CVSS Score `_: 5.0 CVE-2010-1449 ------------- Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12. * CVE ID: `CVE-2010-1449 `_ * Published: 2010-05-27 * `CVSS Score `_: 7.5 CVE-2010-1450 ------------- Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function. * CVE ID: `CVE-2010-1450 `_ * Published: 2010-05-27 * `CVSS Score `_: 7.5 Timeline -------- Timeline using the disclosure date **2007-09-16** as reference: * 2007-09-16: Disclosure date (full-disclosure email) * 2007-09-18 (**+2 days**): CVE-2007-4965 published * 2007-09-19 (**+3 days**): `Python issue bpo-1179 `_ reported by Ismail Donmez * 2008-08-19 (**+338 days**): `commit 4df1b6d (branch 2.5) `_ * 2008-08-19 (**+338 days**): `commit 93ebfb1 (branch 2.6) `_ * 2008-10-01: Python 2.6.0 released * 2008-12-19 (**+460 days**): Python 2.5.3 released * 2010-05-27 (**+984 days**): CVE-2009-4134 published * 2010-05-27 (**+984 days**): CVE-2010-1449 published * 2010-05-27 (**+984 days**): CVE-2010-1450 published Links ----- * http://seclists.org/fulldisclosure/2007/Sep/279 * http://bugs.python.org/issue8678 * https://bugzilla.redhat.com/show_bug.cgi?id=541698